How To Fix CVE-2021-41773 A Path Traversal And File Disclosure Vulnerability In Apache?

A path traversal and file disclosure vulnerability is found in the Apache webserver. The report also reveals that vulnerability tracked as CVE-2021-41773 is being exploited in the wild. Let’s see how to fix CVE-2021-41773 the Path Traversal and File Disclosure vulnerability in the post.

What Is Apache?

Apache is one of the well-known web server applications being used for few decades. It is developed and maintained by Apache Software Foundation. Apache is the open-source application available for most of the operating systems from Linux distribution to Mac and Windows. According to the report Apache is serving approximately 30% of the web servers.

Summary Of CVE-2021-41773 a Path Traversal And File Disclosure Vulnerability:

Apache Software Foundation says this vulnerability was reported on 2021-09-29 and it was fixed in Apache HTTP Server v2.4.50 on 2021-10-01. According to the report “An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed.” They also added that this vulnerability could leak the source of interpreted files like CGI scripts.

Apache Versions Affecting CVE-2021-41773 Path Traversal And File Disclosure Vulnerability:

This vulnerability affects all the versions below Apache v2.4.50. Therefore it is required to fix CVE-2021-41773 Path Traversal and File Disclosure Vulnerability on all the versions including Apache v2.4.49.

How To Fix CVE-2021-41773 a Path Traversal And File Disclosure Vulnerability?

Apache has released a new version v2.4.50 in which the Path Traversal and File Disclosure Vulnerability (CVE-2021-41773) is fixed. Let’s see how to fix CVE-2021-41773 the Path Traversal and File Disclosure vulnerability in Apache. Let’s upgrade the Apache to the latest version v2.4.50 on Ubuntu or Linux Mint.

You can fix Fix CVE-2021-41773 a Path Traversal and File Disclosure Vulnerability in two ways.

How to Fix CVE-2021-41773?

Method 1: Update system repositories

Run the command on your Ubuntu server to update and upgrade repositories.

$ sudo apt update && sudo apt upgrade -y

Step 1: Check the currently running version of the Apache server

Run this command to check the Apache server version on the Ubuntu server.

$ apache2 -v

Step 2: Add Apache PPA

Update the Apache PPA to fetch the latest compiled package from the Ubuntu repository.

$ sudo add-apt-repository ppa:ondrej/apache2 -y && sudo apt update

Step 3: Install Apache2

Upon adding the Apache PPA, install Apache from the new repositories.

$ sudo apt install apache2

Step 4: Verify the upgrade after the successful installation of Apache

Verify the version of Apache as shone in step 2.

$ apache2 -v

Method 2: Set restrictions in apache2.conf file

Edit the apache2.conf file underneath /etc/apache2 directory using any text editor. We are using nano in this demonstration.

$ sudo nano /etc/apache2/apache2.conf

Step 1: Set restrictions in apache2.conf file

In the apache2.conf file locate these lines and change Require all to denied if you see granted. By the way, This configuration has been updated in v2.4.50. You need not to have this settings to update. However, ensure it is denied. This configuration will be able to fix the vulnerability no matter which version of Apache you have.
<Directory />Options FollowSymLinksAllowOverride NoneRequire all denied
</Directory>
After the completion of the change: write the changes to the file with Ctrl + o and Enter keys, Ctrl + x to exit the file.

How To Validate Your Site Is Vulnerable To CVE-2021-41773?

iilegaxyyii has created a python script to validate the Apache server is vulnerable to CVE-2021-41773. Download the python file and pass the IP address or URL of your site or application like this.

CVE-2021-41773.py [-h] host

Checks if an apache server is vulnerable to CVE-2021-41773.

positional arguments:
  host        ip/domain to be checked e.g. 'https://google.com/'

optional arguments:
  -h, --help  show this help message and exit

This is how you can upgrade the Apache server to v2.4.50 and fix CVE-2021-41773 the Path Traversal and File Disclosure vulnerability.

We hope this post would help you fixing CVE-2021-41773 the Path Traversal and File Disclosure vulnerability in the Apache server. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.