Hello, welcome to the Thursday, October 7, 2021 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Today I took a little bit of closer look at the Apache vulnerability. That's CVE 2021-47.41773. Remember, that's the directory traversal vulnerability that only

affects Apache 2449. According to some of the commit comments in that version, they tried to

optimize performance of these checks that check whether or not a URL

is valid and inside the document route.

Well, they were a little bit too efficient here.

That's sort of what happened.

And then in Apache 2.450, which was released this week, they essentially added then again some code to look specifically for the

URL encoded dots. The vulnerable version was only available for download for about two weeks

from September 15th. So unless you downloaded Apache during that time, you shouldn't worry too much

about it.

However, if you do run 2449, there is also a possibility that you are subject to a remote code

execution vulnerability if you have CGI been enabled.

So it's pretty much exactly the same kind of issue that we had back in

2000, 2001 with IIS. Back then it was the scripts directory instead of CGI, but the similar mechanism

that could lead to code execution. Now, by default, an Apache CGI bin is usually not configured these days and also not really used as much.

So we have a relatively small population of servers that run the vulnerable version. Even less of them are subject to the remote code execution.

Interesting flaw in particular in a popular product like Apache. Totally get how stuff

like this can happen. Could have happened to me very well as well. This is fairly old code.

Some of the comments in this particular file go back to 1996. And so far this year we had a couple of critical war on abilities in VMware's

V-Center and VMware ESXI. Softos now has an interesting write-up describing some ransomware

that specifically goes after ESXI.

...