ALERT: Update Apache HTTP server 2.4.49 AND 2.4.50 to fix zero-day vulnerability

Friday, October 8, 2021

10-8-21: The information below was sent to U-M IT groups on Friday, October 8, 2021. It is intended for U-M IT staff who are responsible for university systems running Apache web server. This is an update to the ITS IA Alert regarding an Apache HTTPS server zero-day vulnerability originally sent on 10-5-21. Since then, we have learned that version 2.4.50 is also vulnerable and needs to be updated as soon as possible.

10-5-21: The information below was sent to U-M IT groups on Tuesday, October 5, 2021. It is intended for U-M IT staff who are responsible for university systems running Apache web server.

Summary

Update Apache HTTP servers running v. 2.4.49 or 2.4.50 to protect against zero-day vulnerabilities that are being actively exploited.Update Apache HTTP servers running v. 2.4.49 to protect against zero-day vulnerability that is being actively exploited.

Problem

Apache HTTP server versions 2.4.49 and 2.4.50 contain a flaw that could allow an attacker to access files outside the expected document root, potentially revealing sensitive information and, in some cases, allowing remote code execution.Apache HTTP server version 2.4.49 contains a flaw that could allow an attacker to access files outside the expected document root, potentially revealing sensitive information.

Affected Systems

Affected Versions

Apache HTTP servers 2.4.49 and 2.4.50

Action Items

Update any Apache servers running 2.4.49 or 2.4.50 to Apache 2.4.51 as soon as possible. The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

Threats

This vulnerability is being actively exploited.

Technical Details

Apache HTTP server versions 2.4.49 and 2.4.50 contain a flaw in a change made to path normalization. The intended fix for this issue in version 2.4.50 was found to be incomplete. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If CGI scripts are enabled, then remote code execution may also be possible.

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.