Background / What has happened?
A vulnerability (CVE-2021-41773) was identified in Apache HTTP Server, one of the most commonly used web servers in Australia and globally across both Unix-based and Microsoft Windows environments. This vulnerability could allow a cyber actor to download sensitive files outside of the web server root, such as files containing credentials or other sensitive information. This vulnerability only affects one specific version, 2.4.49, which was released on 16 September 2021.
There is initial information emerging that under some deployment configurations of Apache HTTP Server exploitation of this vulnerability can result in remote code execution however this has not been confirmed.
The Apache Software Foundation has identified that this vulnerability is actively being exploited.
Mitigation / How do I stay secure?
Australian organisations who utilise Apache HTTP Server should review their patch level and update to the latest available version if required.
Further details on the vulnerability and software updates are available from the Apache Software Foundation.