Remote code execution can also be carried out by anyone who exploits the flaw.
Researcher Will Dorman, a vulnerability analyst at CERT/CC, said of the flaw: "...Apache needs to be the vulnerable 2.4.49 version, and mod-cgi is enabled, and it needs to be missing the default Require all denied. But if both of those are true, then CVE-2021-41773 is as RCE as it gets."
The Apache thing is your yearly reminder to keep up with code changes on high profile surfaces over the long term ... the mental trap of "everyone was auditing this to death X years ago so it must still be barren and surely such and such doesn't exist" is real— Bas Alberts (@basalberts) October 6, 2021
In its advisory, the Apache HTTP Server Project acknowledged that the vulnerability was being exploited in the wild. It credited Ash Daulton along with the cPanel Security Team for reporting the issue on 29 September.
A second vulnerability, CVE-2021-41524, is also present in version 2.4.49 and allows an external source to stage a denial-of-service attack on a server.
Oh good, CVE-2021-41773 is in fact also RCE providing mod-cgi is enabled. An attacker can call any binary on the system and supply environment variables (that's how CGI works!) - if they can upload a file and set +x permissions, they can trivially run commands as Apache user. pic.twitter.com/c3D2h5Cy4A— Hacker Fantastic (@hackerfantastic) October 5, 2021
Li Zhi Xin of NSFocus Security Team was credited for this bug which was reported on 17 September and patched through an update on 4 October.
Apache once had about 80% of the Web server software market, but in February this year, a survey by Netcraft found that its share had dropped to 26.3% of sites, 26.4% of domains and 32.7% of Web-facing computers.
nginx leads the Web server software market with 34.5% of sites, 30.4% of domains and 35% of Web-facing computers. But when it comes to the top million busiest sites, Apache has 25.5% of active sites, compared to 19.8% for nginx.