How to identify and patch them
Apache HTTP server
Recently, a new High-Risk Apache HTTP server vulnerability was reported that is currently actively exploited:
An attacker could use a path traversal attack to map URLs to files outside the expected document root. Possible exploits include retrieval of arbitrary files and remote command execution. This is only possible in Apache 2.4.49 and 2.4.50. Make sure to patch to version 2.4.51.
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Only Patch 2.4.51 will suffice.
Both CVE-2021-41773 and CVE-2021-42013 can be detected and are currently actively exploited
See also:
- https://www.tenable.com/blog/cve-2021-41773-path-traversal-zero-day-in-apache-http-server-exploited
- https://twitter.com/lofi42/status/1445382059640434695?
- https://www.picussecurity.com/resource/blog/simulate-apache-cve-2021-41773-exploits-vulnerability
There are also older vulnerabilities in Apache products. For SAP products, 3rd party related vulnerabilities might not always be published by SAP and therefore might not be patched. For Apache, you will find these here:
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013
- Apache HTTP server: https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/Apache-Http-Server.html
- Apache Struts: https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/Apache-Struts.html
- Apache Tomcat : https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-887/Apache-Tomcat.html
Apache and SAP
SAP ships Apache software in several products like:
- Apache Web Server: Content Server, BusinessObjects, SAP Cloud Analytics, SAP Hybris & SAP Commerce Store FrontEnd. There are also some SAP-related 3rd party products that relay on Apache. For instance: OpenText, Celonis process mining and VoCollect Voice picking (EWM).
- Apache Tomcat: SAP Cloud Connector
- Apache Struts Web application framework: SAP Data Services
For Apache Struts, the following High-Risk vulnerability exists – CVE-2018-11776: Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution.
For the SAP Cloud Connector, see also OSS Note 3071343 about BREACH type attacks.
For SAP NW 7.50, a new type of Content Server is now available which uses the SAP Web Dispatcher instead of the Apache webserver. Make sure to secure your SAP Web Dispatcher as described in our previous blog.
Determine the active Apache versions of your SAP Products and make sure to patch these accordingly!
Protect4S
To keep SAP systems safe, SAP Customers need a Vulnerability Management process. Protect4S offers an automated SAP Vulnerability Management Solution that can execute thousands of security checks in complex and large SAP environments, present the findings in a clear manner and offer mitigation and remediation advice based on SAP’s own Best Practices.
Protect4S offers a free trial so you can experience how much easier SAP Platform Security becomes with Protect4S and how easy it is to start up and work with it.
Give us a try!
