Sign in / up

back to article Running a recent Apache web server version? You probably need to patch it. Now

The Apache Software Foundation has hurried out a patch to address a pair of HTTP Web Server vulnerabilities, at least one of which is already being actively exploited. Apache's HTTP Server is widely used, and the vulnerabilities, CVE-2021-41524 and CVE-2021-41773, aren't great. The latter, a path traversal and file disclosure …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Lon24

    Let it Bleed

    Phew - our freshly updated Debian 10 based servers are still on 2.4.38.

    No edgy nervous breakdowns for us.

    7 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Let it Bleed

      Same for our internal VisualSVN Server!

      Glad to see that isn't vulnerable. It's not a shadow IT installation, but its pretty far in the shade (tacitly supported by local IT on one of the few in-house servers left, maintained by an Engineering group, if corporate IT took notice, it'd go away because they're in "everything to the cloud" mode).

      2 0 Reply
  2. Nate Amsden

    probably don't need to patch

    Would be surprised if more than 0.01% of apache servers out there run that latest(affected) version. Ubuntu 20 for example runs 2.4.41. Can't remember the last time I felt a need to upgrade apache(as in to get some feature or specific fix for an issue I had), I mean it's done everything I need going back to what was it 1.3 version or maybe even earlier. Last time I built apache from source was probably late 90s.

    4 0 Reply
  3. -v(o.o)v-

    Again!

    Apache has had quite a few of these path traversal vulnerabilities over the time.

    Here's to hoping they finally get it right this time, and even more importantly keep it that way.

    1 1 Reply
    1. ghp
      Reply Icon

      Re: Again!

      You should ask for a refund.

      9 0 Reply
  4. Steve Graham

    I have 2 Apaches in my home network. Running the referenced exploit on packetstormsecurity.com I get "Bad Request" in both cases. 2.4.37 and 2.4.43 - will update when Devuan repo does.

    0 0 Reply

  5. This post has been deleted by its author

  6. Skiron
    FAIL

    Config!

    Having run Apache for about 18 years at home, and built from source in the last 12 years, the default httpd.conf has (ignore blank lines):

    <Directory />

    AllowOverride none

    Require all denied

    </Directory>

    Unless you override this then you need to know what you doing (or not, it seems if some people are being hit with this).

    1 0 Reply
    1. Skiron
      Reply Icon
      Paris Hilton

      Re: Config!

      Actually, I may be wrong with my above post. I just re-read the CVE reports again and can't work out if the Apache version involved ignores that directive totally from the main httpd.conf, so that the whole file system is open?

      Ideas anyone?

      0 0 Reply
  7. Gordon Shumway

    I have said this before

    and I will say this again.

    https://forums.theregister.com/forum/all/2021/05/05/21_nails_in_exim_mail/#c_4251349

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like