The CVE mentioned in the titie (cf. CVE - CVE-2021-41773) is an Apache vulnerability in v2.4.49 (the current version in the F34 repositories).
It is currently being exploited in the wild and one of my VMs fell victim to it. As I’m waiting for the Kickstart to finish installing a new copy of the affected system, I thought I’d ask if anyone could advise as to when an updated version (IIUC, this is fixed in Apache v.2.4.50) will be available via the Fedora Updates repo.
I searched around quite a bit on 'net as well as specifically on Fedora related sites, but I saw no information at all regarding this vulnerability or a timeline for update availability on the F34 repos.
Any info or pointers to info about a timeline for this would be greatly appreciated!
You can already install the relevant update from the testing repo:
This should as well fix CVE-2021-41773:
Pushing to stable typically takes a few hours adding some time for repos to sync.
I avoid using testing repos for this particular system, but I appreciate the info.
And since this particular system doesn’t have critical (at least for me) web-based resources, I’ll just (as I’ve already done) perform the mitigation suggested ( Require All Denied) and leave apache down until 2.4.50 becomes available in the Fedora Updates repo.
This particular vulnerability was widely exploited very quickly after its announcement and I recognize that the maintainers need to be judicious in rolling out new packages.
Thanks again for your response and the excellent info it provided!
As a follow on, I’d note that the update to Apache 2.4.50 is now available in the Fedora Updates repo, and is being applied to my system as I write this.
Once again, thanks for your response and time!
Thanks for the heads up.
I should be okay as I have the necessary directives in place and have been watching my logs closely – and a bunch of attempts have been made to exploit this since yesterday.
I’ll disable CGI too until this is fully resolved.
Hi @rwaskfedora, you mention you had a VM that was compromised via this vulnerability. Do you have any additional information about what the attacker did after they had compromised this?
I do. However, I’m not going to share such information in a public forum or with unknown parties.
Please don’t take that as a personal dig, I’d say the same to any other stranger who asked.
You can see the related HTTP requests like this:
sudo grep -i -r -e %2e -e %%32%65 /var/log/httpd
Although most of them should be rejected by default:
Tree - rpms/httpd - src.fedoraproject.org
Thanks for responding. However, unless I misunderstood Mr. Lowe, he was not asking about how to identify what was attempted, he was asking what the attacker did after their initial success.
And yes, I have information about what the specific attacker that compromised my VM did and attempted to do. And I have preserved that information, despite having completely destroyed the compromised VM and replaced it with a new one.
Such information (IMHO) should not be posted in public forums, nor should it be shared willy-nilly with anyone who asks.
It’s possible that I misunderstood what Mr. Lowe wanted, but I don’t think so.