An update of the Apache 2.4.50 http server has been urgently generated, which eliminates the already actively exploited 0-day vulnerability (CVE-2021-41773), which allows access to files from areas outside the root directory of the site. Using the vulnerability, you can download arbitrary system files and source texts of web scripts that are readable by the user running the http server. The developers were notified of the problem back on September 17, but were only able to release the update today, after cases of exploiting a vulnerability to attack websites were recorded on the network.
The danger of the vulnerability is mitigated by the fact that the problem manifests itself only in the recently released version 2.4.49 and does not affect all earlier releases. The stable branches of conservative server distributions have not yet used release 2.4.49 (Debian, RHEL, Ubuntu, SUSE), but the issue has affected continuously updated distributions such as Fedora, Arch Linux and Gentoo, as well as ports of FreeBSD.
The vulnerability is caused by a bug introduced during the rewrite of the code for normalizing paths to URIs, due to which the dot character in the path encoded with the sequence "%2e" was not normalized if it was preceded by another dot. Thus, it turned out to be possible to substitute uncleaned characters "../" into the resulting path by specifying the sequence ".%2e/" in the request. For example, a request like "https://example.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd" or "https://example.com/cgi-bin /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts" allowed to get the contents of the file "/etc/passwd".
The problem does not appear if access to directories is explicitly denied using the "require all denied" setting. For example, for partial protection, you can specify in the configuration file: require all denied
Apache httpd 2.4.50 also fixes another vulnerability (CVE-2021-41524) affecting the HTTP/2 protocol module. The vulnerability allowed, by sending a specially designed request, to initiate the dereference of a null pointer and cause the process to crash. This vulnerability also appears only in version 2.4.49. As a security workaround, you can disable support for the HTTP/2 protocol.
Source: opennet.ru