Critical vulnerability in certain versions of Apache HTTP Server

Australian Cyber Security Centre

Background /What has happened?

Vulnerabilities (CVE-2021-41773) and CVE-2021-42013) have been identified in Apache HTTP Server, one of the most commonly used web servers in Australia and globally across both Unix-based and Microsoft Windows environments. This vulnerability could allow a cyber actor to execute arbitrary code remotely or download sensitive files outside of the web server root. A cyber actor could use these vulnerabilities to install malware or otherwise control the affected host or download files containing credentials or other sensitive information. A new update has been released by the Apache Software Foundation (version 2.4.51) which addresses the vulnerabilities present in 2.4.49 and 2.4.50.

The Apache Software Foundation has identified that this vulnerability is actively being exploited.

Mitigation / How do I stay secure?

Australian organisations who utilise Apache HTTP Server should review their patch level and update to the latest available version if required.

/Public Release. View in full here.