CVE-2021-41773
9.8 CRITICAL
📋 TL;DR
CVE-2021-41773 is a path traversal vulnerability in Apache HTTP Server 2.4.49 that allows attackers to access files outside configured directories. If CGI is enabled, this can lead to remote code execution. Only Apache 2.4.49 is affected, though the initial fix in 2.4.50 was incomplete.
💻 Affected Systems
Products:
- Apache HTTP Server
Versions: 2.4.49 only
Operating Systems: All operating systems running Apache
Default Config Vulnerable:
⚠️ Yes
Notes: Requires specific configurations where files outside aliased directories are not protected by 'require all denied' and CGI is enabled for those paths.
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with full system compromise if CGI scripts are enabled and files outside aliased directories are accessible.
Likely Case
Unauthorized file access and potential information disclosure from web server directories.
If Mitigated
Limited impact if 'require all denied' is properly configured and CGI is disabled for aliased paths.
🌐 Internet-Facing: HIGH - This affects web servers directly exposed to the internet with known public exploits.
🏢 Internal Only: MEDIUM - Internal servers are still vulnerable but have reduced attack surface compared to internet-facing systems.
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
CONFIRMED
Unauthenticated Exploit:
⚠️ Yes
Complexity:
LOW
Multiple public exploit scripts exist and active exploitation has been observed in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.50 (though incomplete, see CVE-2021-42013) and 2.4.51 for complete fix
Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download Apache 2.4.51 or later from official sources. 3. Stop Apache service. 4. Install updated version. 5. Restart Apache service. 6. Verify version with 'httpd -v'.
🔧 Temporary Workarounds
Disable CGI for aliased paths
allPrevent remote code execution by disabling CGI execution for vulnerable path configurations
# In httpd.conf or appropriate config file, ensure: Options -ExecCGI
# For specific directories: <Directory "/path/to/aliased"> Options -ExecCGI </Directory>
Implement strict access controls
allEnsure all directories outside aliased paths have 'require all denied'
# In httpd.conf: <Directory /> Require all denied </Directory>
# Then explicitly allow only necessary directories
🧯 If You Can't Patch
- Immediately upgrade to Apache 2.4.51 or later - this is critical due to active exploitation
- If immediate upgrade is impossible, implement network segmentation and restrict access to affected servers while planning upgrade
🔍 How to Verify
Check if Vulnerable:
Check Apache version with 'httpd -v' or 'apache2 -v'. If version is exactly 2.4.49, the system is vulnerable.Check Version:
httpd -v 2>/dev/null || apache2 -v 2>/dev/null || apachectl -v 2>/dev/nullVerify Fix Applied:
After patching, verify version is 2.4.51 or later with 'httpd -v'. Test with known exploit payloads to confirm they no longer work.📡 Detection & Monitoring
Log Indicators:
- Unusual URL patterns with '../' sequences in access logs
- Requests to unexpected file paths outside normal web directories
- Failed CGI execution attempts in error logs
Network Indicators:
- HTTP requests containing encoded path traversal sequences like %2e%2e%2f
- Unusual file retrieval patterns from web server
SIEM Query:
source="apache_access" AND (uri="*%2e%2e%2f*" OR uri="*..%2f*" OR uri="*../*")🔗 References
- http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal.html
- http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
- http://www.openwall.com/lists/oss-security/2021/10/05/2
- http://www.openwall.com/lists/oss-security/2021/10/07/1
- http://www.openwall.com/lists/oss-security/2021/10/07/6
- http://www.openwall.com/lists/oss-security/2021/10/08/1
- http://www.openwall.com/lists/oss-security/2021/10/08/2
- http://www.openwall.com/lists/oss-security/2021/10/08/3
- http://www.openwall.com/lists/oss-security/2021/10/08/4
- http://www.openwall.com/lists/oss-security/2021/10/08/5
- http://www.openwall.com/lists/oss-security/2021/10/08/6
- http://www.openwall.com/lists/oss-security/2021/10/09/1
- http://www.openwall.com/lists/oss-security/2021/10/11/4
- http://www.openwall.com/lists/oss-security/2021/10/15/3
- http://www.openwall.com/lists/oss-security/2021/10/16/1
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r6abf5f2ba6f1aa8b1030f95367aaf17660c4e4c78cb2338aee18982f%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r98d704ed4377ed889d40479db79ed1ee2f43b2ebdd79ce84b042df45%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20211029-0009/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ
- https://www.oracle.com/security-alerts/cpujan2022.html
- http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal.html
- http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
- http://www.openwall.com/lists/oss-security/2021/10/05/2
- http://www.openwall.com/lists/oss-security/2021/10/07/1
- http://www.openwall.com/lists/oss-security/2021/10/07/6
- http://www.openwall.com/lists/oss-security/2021/10/08/1
- http://www.openwall.com/lists/oss-security/2021/10/08/2
- http://www.openwall.com/lists/oss-security/2021/10/08/3
- http://www.openwall.com/lists/oss-security/2021/10/08/4
- http://www.openwall.com/lists/oss-security/2021/10/08/5
- http://www.openwall.com/lists/oss-security/2021/10/08/6
- http://www.openwall.com/lists/oss-security/2021/10/09/1
- http://www.openwall.com/lists/oss-security/2021/10/11/4
- http://www.openwall.com/lists/oss-security/2021/10/15/3
- http://www.openwall.com/lists/oss-security/2021/10/16/1
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r6abf5f2ba6f1aa8b1030f95367aaf17660c4e4c78cb2338aee18982f%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r98d704ed4377ed889d40479db79ed1ee2f43b2ebdd79ce84b042df45%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20211029-0009/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-41773
