CVE-2021-42013 – vulnerability fixed in httpd-2.4.51

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.

We are making emergency upgrades to Apache httpd 2.4.51 across all servers as the CVSS v3 Score for this CVE is 7.5 ( High ) – this may require up to ten minutes of unscheduled downtime if a reboot is required. Customers will be notified individually as their servers get updated.

What is the Common Vulnerabilities and Exposures (CVE) Glossary

CVE stands for Common Vulnerabilities and Exposures. CVE is a glossary that classifies vulnerabilities. The glossary analyzes vulnerabilities and then uses the Common Vulnerability Scoring System (CVSS) to evaluate the threat level of a vulnerability. At Lightspeed we use the CVSS score to decide if and when a CVE patch needs to be installed.

What is a CVSS and what does it mean?
What is the Common Vulnerability Scoring System (CVSS)

The CVSS is one of several ways to measure the impact of vulnerabilities, which is commonly known as the CVE score. The CVSS is an open set of standards used to assess a vulnerability and assign a severity along a scale of 0-10. The current version of CVSS is v3.1, which breaks down the scale is as follows:

SeverityBase Score
None0
Low0.1-3.9
Medium4.0-6.9
High7.0-8.9
Critical9.0-10.0

Here at Lightspeed, we typically roll out patches for CVE whose scores are in the High and Critical range as soon as are able to test them successfully on our test machines. CVEs with Low to Medium scores typically get updated during the regular weekend update cycle as they become part of the mainstream update process.