ALERT: Update Apache HTTP server 2.4.49 AND 2.4.50 to fix zero-day vulnerability to fix zero-day vulnerability

Update Apache HTTP servers running v. 2.4.49 or 2.4.50 to protect against zero-day vulnerability that is being actively exploited.

Apache HTTP server version 2.4.49 and 2.4.50 contains a flaw that could allow an attacker to access files outside the expected document root, potentially revealing sensitive information.

Apache HTTP servers 2.4.49 and 2.4.50

Update any Apache servers running 2.4.49 to Apache 2.4.50 as soon as possible. The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

This vulnerability is being actively exploited.

Apache HTTP server version 2.4.49 and 2.4.50 contains a flaw in a change made to path normalization. An attacker could use a path traversal attack to map URLs to files outside the expected document root.

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Please contact ITS Information Assurance through the ITS Service Center.

• Apache HTTP Server 2.4 vulnerabilities
• Apache Warns of Zero-Day Exploit in the Wild — Patch Your Web Servers Now!
• Apache fixes actively exploited zero-day vulnerability, patch now