Apache HTTP Server Vulnerabilties: October 2021

2021-10-07T16:00:00
ID CISCO-SA-APACHE-HTTPD-PATHTRV-LAZG68CZ
Type cisco
Reporter Cisco
Modified 2021-10-07T16:00:00

Description

On October 5, 2021 and October 7, 2021, the Apache Software Foundation released two security announcements for the Apache HTTP Server that disclosed the following vulnerabilities: CVE-2021-41524: Null Pointer Dereference Vulnerability CVE-2021-41773: Path Traversal and Remote Code Execution Vulnerability CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

For descriptions of these vulnerabilities, see the Apache Security Announcement ["https://httpd.apache.org/security/vulnerabilities_24.html"]. For additional information, see the Cisco TALOS blog post, Threat Advisory: Apache HTTP Server zero-day vulnerability opens door for attackers ["https://blog.talosintelligence.com/2021/10/apache-vuln-threat-advisory.html"].

Cisco investigated its product line and concluded that no Cisco products are affected by these vulnerabilities.