Author Topic: Vulnerability apache 2.4.49 || (NVD)CVE-2021-41773  (Read 7772 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Vulnerability apache 2.4.49 || (NVD)CVE-2021-41773
« on: October 06, 2021, 11:38:13 AM »
Apache 2.4.49 has a security problem.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773

Update to 2.4.50  or downgrade to 2.4.48 is recommended

What is the best way to update apache?

Can CWP team provide an update script?

On external sites their are tutorials for this update:
cd /usr/local/src
rm -rf /usr/local/src/apache*
wget --no-cache https://www.mysterydata.com/upload/apache-rebuild.sh
yum install uuid uuid-devel -y
chmod 755 apache-rebuild.sh
sh apache-rebuild.sh


In my opinion it will be better that apache update is supported by the cwp forum.


Offline
*
Re: Vulnerability apache 2.4.49 || (NVD)CVE-2021-41773
« Reply #1 on: October 06, 2021, 01:46:26 PM »
Yes, I also get similar notification from my VPS today.
In my opinion it is also best solution to wait for the CWP upgrade team for cwp-httpd 2.4.50, I hope it will be soon, in day or two.
« Last Edit: October 06, 2021, 01:49:27 PM by idovecer »

Offline
*
Re: Vulnerability apache 2.4.49 || (NVD)CVE-2021-41773
« Reply #2 on: October 06, 2021, 06:23:33 PM »
Waiting is not an option.
I saw abuse of the vulnerability in the wild (injection lines in nobody's crontab trying to download Multi-Vector Miner+Tsunami Botnet).
So I shutdown apache and downgraded to 2.4.48

So CWP: please update fast.

Offline
*
Re: Vulnerability apache 2.4.49 || (NVD)CVE-2021-41773
« Reply #3 on: October 06, 2021, 06:33:42 PM »
cwp update has downgrade to 2.4.48 so simply run update or wait to get updated.
Code: [Select]
/scripts/update_cwp
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
*
Re: Vulnerability apache 2.4.49 || (NVD)CVE-2021-41773
« Reply #4 on: October 09, 2021, 06:13:06 AM »
To change to Apache 2.4.50 is not solve the problem.
You have to update to 2.4.51.
You can do that when you change the version number at Line 8 in the script in the first comment here.

The only thing what that script does is recompile Apache from source. So, it would be stupid to downgrade tot a lower version.
« Last Edit: October 09, 2021, 06:21:09 AM by bartje1974 »

Offline
*
Re: Vulnerability apache 2.4.49 || (NVD)CVE-2021-41773
« Reply #5 on: December 20, 2021, 10:08:27 PM »
Any update on bringing back 2.4.51?  I was previously able to compile 2.4.51 from the interface, but it has now been removed and yet to be brought back

Offline
*
Re: Vulnerability apache 2.4.49 || (NVD)CVE-2021-41773
« Reply #6 on: December 21, 2021, 01:36:09 PM »
2.4.51 is part of rpm...so you need to check if you rpm's are updated
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
*
Re: Vulnerability apache 2.4.49 || (NVD)CVE-2021-41773
« Reply #7 on: December 21, 2021, 05:57:39 PM »
2.4.51 is part of rpm...so you need to check if you rpm's are updated

CWP interface is updated via RPM (cwp-httpd); Webservers are built from source.  2.4.51 is not available in the list to build from source.



Offline
*
Re: Vulnerability apache 2.4.49 || (NVD)CVE-2021-41773
« Reply #8 on: December 28, 2021, 11:13:45 PM »
Is there an update on this? There is now a newer version of Apache (2.4.52) which fixes the flaw that can lead to remote code execution. Can we manually update apache without breaking CWP Panel?

Offline
*
Re: Vulnerability apache 2.4.49 || (NVD)CVE-2021-41773
« Reply #9 on: December 28, 2021, 11:37:02 PM »
Is there an update on this? There is now a newer version of Apache (2.4.52) which fixes the flaw that can lead to remote code execution. Can we manually update apache without breaking CWP Panel?

An update seems to have been pushed today - CWPpro version: 0.9.8.1109 (up from 0.9.8.1108)

This has added 2.4.51 and 2.4.52 to the apache re-rebuild section.

Thank you to the team for resolving this.  Hopefully we see updates pushed more quickly as they're released

Offline
***
Re: Vulnerability apache 2.4.49 || (NVD)CVE-2021-41773
« Reply #10 on: December 29, 2021, 01:07:55 AM »
(...) There is now a newer version of Apache (2.4.52) which fixes the flaw that can lead to remote code execution. Can we manually update apache without breaking CWP Panel?

Yes.
Check this link from Sandeep excelent tutorial:
https://www.mysterydata.com/how-to-enable-tls-1-3-in-apache-on-cwp-control-web-panel-centos-7-centos-8-el7-el8/

Regards,
Netino