I. Overview

Apache has disclosed that Apache HTTP Server 2.4.50 has not completely fixed the CVE-2021-41773 vulnerability. As a result, the path traversal and command execution vulnerabilities (CVE-2021-42013) still exist in Apache HTTP Server 2.4.50. Remote attackers can use the path traversal attack to access files outside the file root directory on the vulnerable web server. If CGI is enabled, attackers can construct malicious requests to remotely execute code. Currently, the POC of this vulnerability has been published and the risk is high.

If you are an Apache HTTP Server 2.4.49/2.4.50 user, check your service version and implement timely security hardening.

Reference link:

https://httpd.apache.org/security/vulnerabilities_24.html

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache HTTP Server: 2.4.49/2.4.50

Secure versions:

Apache HTTP Server: 2.4.51

Other versions except Apache HTTP Server 2.4.49/2.4.50

IV. Vulnerability Handling

If Apache HTTP Server 2.4.49/2.4.50 is not used, you do not need to fix it. The vulnerabilities have been fixed in the new version. If you are a user of the Apache HTTP Server 2.4.49/2.4.50, upgrade it to the secure version as soon as possible.

Download link: https://httpd.apache.org/download.cgi

HUAWEI CLOUD WAF can defend against these vulnerabilities. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.