October 5, CVE-2021-41773 made rounds through news, the blogosphere and twitterverse. We now see public POCs (proofs of concept) showing how to exploit this issue. Please pay attention to this vulnerability!
Servers running Apache 2.4.49 and 2.4.50 may be exposed to remote code execution (RCE) and path traversal. RCE will allow attackers to run commands on your servers. Path traversal will allow attackers to access data and files they should not be able to access. Full exposure depends on configuration, but many Internet facing systems are vulnerable.
This sort of issue leaves many wondering, “am I vulnerable?” Team Cymru’s Pure Signal™ intelligence helps to answer that question!
Our Open Ports data records version information on Internet facing systems. Within this data set, you can see details on version strings, banners, daemons and services. For this vulnerability, we ran a query for “*Apache/2.4.49*” to find the Apache version in question.
Geographic prevalence of Apache vulnerability
What does this show? We see 25,503 systems running Apache version 2.4.49 now or recently. These systems, and systems running 2.4.50, should patch to version 2.4.51, per Apache’s recommendation. We did not attempt to confirm the POCs work against these systems.
What did we do with this data? Team Cymru exists to save and improve human lives. Before writing this missive, we shared our results with several groups.
We cannot reach out to individual system operators, but we did what we could. Within the community of experts we know, we sent out lists to help them focus their teams on patching. We have done this for decades, and we will continue to do it always.