ALERT: Update Apache HTTP server 2.4.49 AND 2.4.50 to fix zero-day vulnerability to fix zero-day vulnerability


This message is intended for U-M IT staff who are responsible for university systems running Apache web server. This is an update to the ITS IA Alert regarding an Apache HTTPS server zero-day vulnerability originally sent on 10-5-21. Since then, we have learned that version 2.4.50 is also vulnerable and needs to be updated as soon as possible.


Update Apache HTTP servers running v. 2.4.49 or 2.4.50 to protect against zero-day vulnerability that is being actively exploited.


Apache HTTP server version 2.4.49 and 2.4.50 contains a flaw that could allow an attacker to access files outside the expected document root, potentially revealing sensitive information.

Affected Versions

Apache HTTP servers 2.4.49 and 2.4.50

Action Items

Update any Apache servers running 2.4.49 to Apache 2.4.50 as soon as possible. The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).


This vulnerability is being actively exploited.

Technical Details

Apache HTTP server version 2.4.49 and 2.4.50 contains a flaw in a change made to path normalization. An attacker could use a path traversal attack to map URLs to files outside the expected document root.

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious EmailSecure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.