Critical Vulnerability in Certain Versions of Apache HTTP Server
18 October 2021
A vulnerability exists in Apache HTTP Server 2.4.49. A cyber actor could exploit this vulnerability to execute arbitrary code. Initial information also indicates that the vulnerability could also be used perform remote code execution under certain configurations. Affected Australian organisations should apply the available patch.
Alert status: CRITICAL
Background /What has happened?
Vulnerabilities (CVE-2021-41773) and CVE-2021-42013) have been identified in Apache HTTP Server, one of the most commonly used web servers in Australia and globally across both Unix-based and Microsoft Windows environments. This vulnerability could allow a cyber actor to execute arbitrary code remotely or download sensitive files outside of the web server root. A cyber actor could use these vulnerabilities to install malware or otherwise control the affected host or download files containing credentials or other sensitive information. A new update has been released by the Apache Software Foundation (version 2.4.51) which addresses the vulnerabilities present in 2.4.49 and 2.4.50.
The Apache Software Foundation has identified that this vulnerability is actively being exploited.
Mitigation / How do I stay secure?
Australian organisations who utilise Apache HTTP Server should review their patch level and update to the latest available version if required.
The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1 (1300 292 371).