Apache HTTP Server Vulnerabilties: October 2021On October 5, 2021 and October 7, 2021, the Apache Software Foundation released two security announcements for the Apache HTTP Server that disclosed the following vulnerabilities:
- CVE-2021-41524: Null Pointer Dereference Vulnerability
- CVE-2021-41773: Path Traversal and Remote Code Execution Vulnerability
- CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
For descriptions of these vulnerabilities, see the Apache Security Announcement. For additional information, see the Cisco TALOS blog post, Threat Advisory: Apache HTTP Server zero-day vulnerability opens door for attackers.
Cisco investigated its product line and concluded that no Cisco products are affected by these vulnerabilities.
Security Impact Rating: Informational
CVE: CVE-2021-41524,CVE-2021-41773,CVE-2021-42013
Source: Apache HTTP Server Vulnerabilties: October 2021 (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Apache%20HTTP%20Server%20Vulnerabilties:%20October%202021&vs_k=1)