Vulnerability apache 2.4.49 || (NVD)CVE-2021-41773

Apache 2.4.49 has a security problem.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773

Update to 2.4.50  or downgrade to 2.4.48 is recommended

What is the best way to update apache?

Can CWP team provide an update script?

On external sites their are tutorials for this update:
cd /usr/local/src
rm -rf /usr/local/src/apache*
wget --no-cache https://www.mysterydata.com/upload/apache-rebuild.sh
yum install uuid uuid-devel -y
chmod 755 apache-rebuild.sh
sh apache-rebuild.sh


In my opinion it will be better that apache update is supported by the cwp forum.

Yes, I also get similar notification from my VPS today.
In my opinion it is also best solution to wait for the CWP upgrade team for cwp-httpd 2.4.50, I hope it will be soon, in day or two.

Waiting is not an option.
I saw abuse of the vulnerability in the wild (injection lines in nobody's crontab trying to download Multi-Vector Miner+Tsunami Botnet).
So I shutdown apache and downgraded to 2.4.48

So CWP: please update fast.

cwp update has downgrade to 2.4.48 so simply run update or wait to get updated.

Code: [Select]

/scripts/update_cwp

To change to Apache 2.4.50 is not solve the problem.
You have to update to 2.4.51.
You can do that when you change the version number at Line 8 in the script in the first comment here.

The only thing what that script does is recompile Apache from source. So, it would be stupid to downgrade tot a lower version.

Any update on bringing back 2.4.51?  I was previously able to compile 2.4.51 from the interface, but it has now been removed and yet to be brought back

2.4.51 is part of rpm...so you need to check if you rpm's are updated

2.4.51 is part of rpm...so you need to check if you rpm's are updated

CWP interface is updated via RPM (cwp-httpd); Webservers are built from source.  2.4.51 is not available in the list to build from source.

Is there an update on this? There is now a newer version of Apache (2.4.52) which fixes the flaw that can lead to remote code execution. Can we manually update apache without breaking CWP Panel?

Is there an update on this? There is now a newer version of Apache (2.4.52) which fixes the flaw that can lead to remote code execution. Can we manually update apache without breaking CWP Panel?

An update seems to have been pushed today - CWPpro version: 0.9.8.1109 (up from 0.9.8.1108)

This has added 2.4.51 and 2.4.52 to the apache re-rebuild section.

Thank you to the team for resolving this.  Hopefully we see updates pushed more quickly as they're released

(...) There is now a newer version of Apache (2.4.52) which fixes the flaw that can lead to remote code execution. Can we manually update apache without breaking CWP Panel?

Yes.
Check this link from Sandeep excelent tutorial:
https://www.mysterydata.com/how-to-enable-tls-1-3-in-apache-on-cwp-control-web-panel-centos-7-centos-8-el7-el8/

Regards,
Netino