![]() So to completely solve this issue, update Apache Tomcat and switch off mapperContextRootRedirectEnabled for any web applications that you wish to be undetectable by unauthenticated visitors. Note that two new configuration directives were introduced in these versions of Apache Tomcat, one to re-enable Tomcat identifying directories ( mapperDirectoryRedirectEnabled, off by default), and one to enable the web application presence identifying behaviour ( mapperContextRootRedirectEnabled, on by default because switching it off might cause issues with existing web applications). Upgrade your Apache Tomcat installation to at least version 9. Also, an attacker can determine if a certain string is a valid directory name in the application’s. The presence of a web application can be detected, and the use of Java can be detected even if identifying headers have been disabled (by trying to request the WEB-INF directory). war file, remote unauthenticated users could detect the presence of an application, and map out the internal structure of the application using a dictionary attack. Status of older (unsupported) versions of Apache Tomcat is unknownīecause the Apache Tomcat application server responds to HTTP requests for directories with a redirect (appending a trailing slash) if the directory exists in the application’s.This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. For more information, see Apache's advisory. CVE-2021-42013 has been fixed in HTTP Server version 2.4.51 released October 7, 2021. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution."ĬVE-2021-42013 has been assigned to track the incomplete fix for CVE-2021-41773. If files outside of these directories are not protected by the usual default configuration require all denied, these requests can succeed. According to their advisory, "an attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. October 7, 2021: Apache has updated their advisory to note that the patch for CVE-2021-41773 was incomplete, rendering HTTP Server 2.4.50 versions vulnerable when specific, non-default conditions are met. Rapid7 customersĪ remote vulnerability check for CVE-2021-41773 was released to InsightVM and Nexpose customers in the Octocontent update.Ī remote vulnerability check for CVE-2021-42013 was released to InsightVM and Nexpose customers in the Octocontent update. For more information, see Apache’s advisory here. If a vulnerable server is discovered, the server’s configuration file should be updated to include the filesystem directory directive with require all denied: Īpache HTTP Server users should update to 2.4.51 or later as soon as is practical. Organizations that are using Apache HTTP Server 2.4.49 or 2.4.50 should determine whether they are using vulnerable configurations. Our exposure estimate intentionally does not count multiple Apache servers on the same IP as different instances (this would substantially increase the number of exposed instances identified as vulnerable). Rapid7 Labs has identified roughly 65,000 potentially vulnerable versions of Apache httpd exposed to the public internet. Rapid7’s research team has a full root cause analysis of CVE-2021-41773 here along with proofs of concept. The initial RCE proof of concept resulted in blind command execution, and there have been multiple proofs of concept that coerce the HTTP server into sending the program’s output back to the attacker. With mod_cgi enabled, an attacker can execute arbitrary programs via HTTP POST requests. While mod_cgi is not enabled in the default Apache Server HTTP configuration, it’s also not an uncommon feature to enable. While the original advisory indicated that CVE-2021-41773 was merely an information disclosure bug, both Rapid7 and community researchers have verified that the vulnerability can be used for remote code execution when mod_cgi is enabled. Note that a non-default configuration is required for exploitability. Public proof-of-concept exploit code is widely available, and Apache and others have noted that this vulnerability is being exploited in the wild. The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. On Monday, October 4, 2021, Apache published an advisory on CVE-2021-41773, an unauthenticated remote file disclosure vulnerability in HTTP Server version 2.4.49 and 2.4.50 (see the Updates section for more on 2.4.50). See the Updates section at the end of this post for information on developments that occurred after initial publication.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |