Background /What has happened?
Vulnerabilities (CVE-2021-41773) and CVE-2021-42013) have been identified in Apache HTTP Server, one of the most commonly used web servers in Australia and globally across both Unix-based and Microsoft Windows environments. This vulnerability could allow a cyber actor to execute arbitrary code remotely or download sensitive files outside of the web server root. A cyber actor could use these vulnerabilities to install malware or otherwise control the affected host or download files containing credentials or other sensitive information. A new update has been released by the Apache Software Foundation (version 2.4.51) which addresses the vulnerabilities present in 2.4.49 and 2.4.50.
The Apache Software Foundation has identified that this vulnerability is actively being exploited.
Mitigation / How do I stay secure?
Australian organisations who utilise Apache HTTP Server should review their patch level and update to the latest available version if required.
Further details on the vulnerability and software updates are available from the Apache Software Foundation.
Assistance / Where can I go for help?
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ASD's ACSC via 1300 CYBER1 (1300 292 371).