Apache HTTP Web Server users should update their servers immediately to prevent critical security flaws for cloud and shared web hosting providers. eWeek provided a great article detailing the critical flaw and how the update fixes it. We definitely recommend you read the full article, but the tl:dr is:
- Apache HTTP Web Server, an open-source project has patched 6 flaws in their new update
- The flaws this update fixes include a critical issue that “allows anyone you allow to write a script (PHP, CGI,…) to gain root,” according to Mark Cox, a consulting engineer at Red Hat and VP of Security at the Apache Software Foundation.
- One of the serious vulnerabilities patched is a local root privilege escalation flaw
Bob Rudis, Chief Data Scientist at Rapid7 provided some great commentary in the eWeek article to speak to the security impact of these bugs. He estimated that there are around 2M Apache web server deployments that aren’t yet patched. We saw around 1M servers that were potentially vulnerable to just one of the critical vulnerabilities fixed with this patch (see search below).
Happily, there’s a solution to the problem. Using Censys, you can find the Apache HTTP Web Servers your organization is using, even the ones you didn’t already know about, that are actually connected to the Internet, potentially vulnerable, and require patching.
Read the full technical advisory from Apache for additional details and to gather intel about additional affected Apache versions to search for.
How to find your Apache HTTP Web Servers in Censys
The root privilege escalation flaw mentioned earlier is tied specifically to Apache HTTP Server 2.4.17 – 2.4.38. To find those in Censys, use the following search:
https://censys.io/ipv4?q=443.https.get.metadata.version%3A+%2F%282.4.1%5B0-9%5D%7B1%7D%29%7C%282.4.2%5B0-9%5D%7B1%7D%29%7C%282.4.3%5B0-7%5D%7B1%7D%29%2F+AND+443.https.get.metadata.manufacturer%3A+Apache*
To find affected servers that are being used in your organization, add the following filter: AND 443.https.tls.certificate.parsed.names: * (* insert your domain name).
Once you’ve located the affected servers, update them, asap to prevent these serious flaws from being exploited and causing you grief. Patches available directly from Apache, grab them here.