This message is intended for U-M IT staff who are responsible for university systems running Apache web server. This is an update to the ITS IA Alert regarding an Apache HTTPS server zero-day vulnerability originally sent on 10-5-21. Since then, we have learned that version 2.4.50 is also vulnerable and needs to be updated as soon as possible.
Summary
Update Apache HTTP servers running v. 2.4.49 or 2.4.50 to protect against zero-day vulnerability that is being actively exploited.
Problem
Apache HTTP server version 2.4.49 and 2.4.50 contains a flaw that could allow an attacker to access files outside the expected document root, potentially revealing sensitive information.
Affected Versions
Apache HTTP servers 2.4.49 and 2.4.50
Action Items
Update any Apache servers running 2.4.49 to Apache 2.4.50 as soon as possible. The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
Threats
This vulnerability is being actively exploited.
Technical Details
Apache HTTP server version 2.4.49 and 2.4.50 contains a flaw in a change made to path normalization. An attacker could use a path traversal attack to map URLs to files outside the expected document root.
How We Protect U-M
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
Information for Users
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.