Security

Mitigation Instructions for CVE-2021-42013

Written by CyRisk Vulnerability Management Team | Mar 22, 2023 6:21:47 PM

SUBJECT: CVE-2021-42013 Apache HTTP Server 2.4.49 and 2.4.50 Path Traversal

TECH STACK: Apache HTTP Server 2.4.50.  

DATE(S) ISSUED: 10/07/2021

CRITICALITY: HIGH

OVERVIEW:

NIST Description: It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

https://nvd.nist.gov/vuln/detail/CVE-2021-42013

THREAT INTELLIGENCE:

CISA has added CVE-2021-42013 to its Known Exploited Vulnerabilities Catalog, based 

on evidence that threat actors are actively exploiting the vulnerability. This vulnerability is a frequent attack vector for malicious cyber actors of all types and poses significant risk to the federal enterprise. 

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST: NVD

Base Score: 9.8 CRITICAL

Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SOLUTION:

To fix the CVE-2021-42013 vulnerability in the Apache HTTP Server, you should upgrade to a fixed version of the software. The specific version you should upgrade to will depend on which version of the Apache HTTP Server you are currently using.

The following versions of the Apache HTTP Server include a fix for the vulnerability:

  • 2.4.51

To upgrade to a fixed version of the Apache HTTP Server, you can download the latest version of the software from the Apache HTTP Server download page (http://httpd.apache.org/download.cgi). Once you have downloaded the software, follow the instructions provided in the installation guide to install the new version.

Alternatively, you may be able to upgrade to a fixed version of the Apache HTTP Server using your operating system's package manager. Consult the documentation for your operating system or package manager for more information on how to upgrade software packages.

It is important to note that upgrading to a fixed version of the Apache HTTP Server will not automatically fix the vulnerability on your system. You will also need to ensure that any third-party modules or customizations you have made to the Apache HTTP Server are compatible with the new version.

REFERENCES:

CISCO:20211007 Apache HTTP Server Vulnerabilities: October 2021

URL:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ

CONFIRM:https://security.netapp.com/advisory/ntap-20211029-0009/

URL:https://security.netapp.com/advisory/ntap-20211029-0009/

FEDORA:FEDORA-2021-2a10bc68a4

URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/

FEDORA:FEDORA-2021-aaf90ef84a

URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/

GENTOO:GLSA-202208-20

URL:https://security.gentoo.org/glsa/202208-20

JVN:JVN#51106450

URL:http://jvn.jp/en/jp/JVN51106450/index.html

MISC:http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html

MISC:https://www.povilaika.com/apache-2-4-50-exploit/

MISC:http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html

URL:http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html

MISC:http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html

URL:http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html

MISC:http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html

URL:http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html

MISC:http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html

URL:http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html

MISC:http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html

URL:http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html

MISC:https://httpd.apache.org/security/vulnerabilities_24.html

URL:https://httpd.apache.org/security/vulnerabilities_24.html

MISC:https://www.oracle.com/security-alerts/cpuapr2022.html

URL:https://www.oracle.com/security-alerts/cpuapr2022.html

MISC:https://www.oracle.com/security-alerts/cpujan2022.html

URL:https://www.oracle.com/security-alerts/cpujan2022.html

MLIST:[announce] 20211007 CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

URL:https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837@%3Cannounce.apache.org%3E

MLIST:[httpd-cvs] 20211008 [httpd-site] branch main updated: * Align with CVE-2021-42013 based on the latest findings

URL:https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3@%3Ccvs.httpd.apache.org%3E

MLIST:[httpd-users] 20211007 [users@httpd] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

URL:https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb@%3Cusers.httpd.apache.org%3E

MLIST:[oss-security] 20211007 CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

URL:http://www.openwall.com/lists/oss-security/2021/10/07/6

MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

URL:http://www.openwall.com/lists/oss-security/2021/10/08/1

MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

URL:http://www.openwall.com/lists/oss-security/2021/10/08/2

MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

URL:http://www.openwall.com/lists/oss-security/2021/10/08/3

MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

URL:http://www.openwall.com/lists/oss-security/2021/10/08/4

MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

URL:http://www.openwall.com/lists/oss-security/2021/10/08/5

MLIST:[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

URL:http://www.openwall.com/lists/oss-security/2021/10/08/6

MLIST:[oss-security] 20211009 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

URL:http://www.openwall.com/lists/oss-security/2021/10/09/1

MLIST:[oss-security] 20211011 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

URL:http://www.openwall.com/lists/oss-security/2021/10/11/4

MLIST:[oss-security] 20211015 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

URL:http://www.openwall.com/lists/oss-security/2021/10/15/3

MLIST:[oss-security] 20211016 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

URL:http://www.openwall.com/lists/oss-security/2021/10/16/1