Security Advisory– Apache HTTP Server 2.4 Security Vulnerability October 17, 2021

Overview

On September 29, 2021, the Apache Security team was alerted to a path traversal vulnerability being actively exploited (zero-day) against Apache HTTP Server version 2.4.49. The vulnerability can allow an attacker to fully compromise the web server via remote code execution (RCE) or at the very least access sensitive files. CVE number 2021-41773 has been assigned to this issue. Both Linux and Windows based servers are vulnerable.

References

• https://httpd.apache.org/security/vulnerabilities_24.html

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773

• https://www.zdnet.com/article/additional-fixes-released-addressing-apache-http-server-issue/

Effective Security Severity Level

Critical

Affected Systems

Ex Libris products Do NOT use the affected Apache version (2.4.49)

Tests and Certifications

No further tests or certifications were needed

Action Taken by Ex Libris for Cloud Systems

EX LIBRIS CLOUD SERVICES DOES NOT USE THE AFFECTED APACHE VERSION 2.4.49 PRODUCTS.

Actions Taken for Local /On Premise

If you use Apache version 2.4.49 in your environment, Ex Libris recommends following Apache instructions found on their site: https://httpd.apache.org/security/vulnerabilities_24.html

Exploitation and Public Announcements

The Ex Libris Security Incident Response Team (SIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Record of Changes                                                                    

Revision Control

Document Distribution and Review

The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated regularly or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver