Security Advisory– Apache HTTP Server 2.4 Security Vulnerability October 17, 2021
Overview
On September 29, 2021, the Apache Security team was alerted to a path traversal vulnerability being actively exploited (zero-day) against Apache HTTP Server version 2.4.49. The vulnerability can allow an attacker to fully compromise the web server via remote code execution (RCE) or at the very least access sensitive files. CVE number 2021-41773 has been assigned to this issue. Both Linux and Windows based servers are vulnerable.
References
Effective Security Severity Level
Critical
Affected Systems
Ex Libris products Do NOT use the affected Apache version (2.4.49)
Tests and Certifications
No further tests or certifications were needed
Action Taken by Ex Libris for Cloud Systems
EX LIBRIS CLOUD SERVICES DOES NOT USE THE AFFECTED APACHE VERSION 2.4.49 PRODUCTS.
Actions Taken for Local /On Premise
If you use Apache version 2.4.49 in your environment, Ex Libris recommends following Apache instructions found on their site: https://httpd.apache.org/security/vulnerabilities_24.html
Exploitation and Public Announcements
The Ex Libris Security Incident Response Team (SIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Record of Changes
Type of information | Document Data |
---|---|
Document Title: |
Security Advisory– Apache HTTP Server 2.4 Security Vulnerability October 12, 2021 |
Document Owner: |
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO) |
Approved by: |
Barak Rozenblat – VP Cloud Services |
Issued: |
October 17, 2021 |
Reviewed & Revised: |
October 17, 2021 |
Revision Control
Version Number | Nature of Change | Date Approved |
---|---|---|
Initial version |
October 17, 2021 |
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated regularly or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver