Mitigation Instructions for CVE-2016-4437
Mitigating CVE-2016-4437: Remote Code Execution Vulnerability in Apache ActiveMQ
5 min read
CyRisk Vulnerability Management Team : Mar 22, 2023 2:21:47 PM
SUBJECT: CVE-2021-42013 Apache HTTP Server 2.4.49 and 2.4.50 Path Traversal
TECH STACK: Apache HTTP Server 2.4.50.
DATE(S) ISSUED: 10/07/2021
CRITICALITY: HIGH
OVERVIEW:
NIST Description: It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
https://nvd.nist.gov/vuln/detail/CVE-2021-42013
THREAT INTELLIGENCE:
CISA has added CVE-2021-42013 to its Known Exploited Vulnerabilities Catalog, based
on evidence that threat actors are actively exploiting the vulnerability. This vulnerability is a frequent attack vector for malicious cyber actors of all types and poses significant risk to the federal enterprise.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
NIST: NVD
Base Score: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SOLUTION:
To fix the CVE-2021-42013 vulnerability in the Apache HTTP Server, you should upgrade to a fixed version of the software. The specific version you should upgrade to will depend on which version of the Apache HTTP Server you are currently using.
The following versions of the Apache HTTP Server include a fix for the vulnerability:
To upgrade to a fixed version of the Apache HTTP Server, you can download the latest version of the software from the Apache HTTP Server download page (http://httpd.apache.org/download.cgi). Once you have downloaded the software, follow the instructions provided in the installation guide to install the new version.
Alternatively, you may be able to upgrade to a fixed version of the Apache HTTP Server using your operating system's package manager. Consult the documentation for your operating system or package manager for more information on how to upgrade software packages.
It is important to note that upgrading to a fixed version of the Apache HTTP Server will not automatically fix the vulnerability on your system. You will also need to ensure that any third-party modules or customizations you have made to the Apache HTTP Server are compatible with the new version.
REFERENCES:
CISCO:20211007 Apache HTTP Server Vulnerabilities: October 2021
CONFIRM:https://security.netapp.com/advisory/ntap-20211029-0009/
URL:https://security.netapp.com/advisory/ntap-20211029-0009/
FEDORA:FEDORA-2021-2a10bc68a4
FEDORA:FEDORA-2021-aaf90ef84a
GENTOO:GLSA-202208-20
URL:https://security.gentoo.org/glsa/202208-20
JVN:JVN#51106450
URL:http://jvn.jp/en/jp/JVN51106450/index.html
MISC:http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html
MISC:https://www.povilaika.com/apache-2-4-50-exploit/
MISC:http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
URL:http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
MISC:http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
URL:http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
MISC:https://httpd.apache.org/security/vulnerabilities_24.html
URL:https://httpd.apache.org/security/vulnerabilities_24.html
MISC:https://www.oracle.com/security-alerts/cpuapr2022.html
URL:https://www.oracle.com/security-alerts/cpuapr2022.html
MISC:https://www.oracle.com/security-alerts/cpujan2022.html
URL:https://www.oracle.com/security-alerts/cpujan2022.html
MLIST:[announce] 20211007 CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
MLIST:[httpd-cvs] 20211008 [httpd-site] branch main updated: * Align with CVE-2021-42013 based on the latest findings
MLIST:[httpd-users] 20211007 [users@httpd] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
MLIST:[oss-security] 20211007 CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/07/6
MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/08/1
MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/08/2
MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/08/3
MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/08/4
MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/08/5
MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/08/6
MLIST:[oss-security] 20211009 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/09/1
MLIST:[oss-security] 20211011 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/11/4
MLIST:[oss-security] 20211015 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
URL:http://www.openwall.com/lists/oss-security/2021/10/15/3
MLIST:[oss-security] 20211016 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
Mitigating CVE-2016-4437: Remote Code Execution Vulnerability in Apache ActiveMQ
Mitigating CVE-2013-1896: Privilege Escalation Vulnerability in Puppet
Subject: Mitigating CVE-2014-6271: Shellshock Vulnerability in Bash