CRS protecting users from Apache CVE-2021-41773

Version 2.4.49 of the Apache webserver is affected by a path traversal vulnerability. This caught a lot of people on the left foot. Well not those who protect their services with CRS. CRS has your back for this new exploit too - as very often.

There are a lot of proof of concept exploits for this vulnerability around now. All proof of concepts I saw work via hex encoding the dot-character as %2e. That means you can disguise a classical path traversal using dots as follows:

Apache 2.4.49 introduced a bug where it would fall for this trick.

CRS has two rules that will see through the ruse, though:

Both rules are paranoia level 1 rules. That means they are active in a default installation.

So while Apache administrators on 2.4.49 would need to rush to update to 2.4.50, admins using CRS for protection can schedule the necessary Apache update without any urgency: CRS buys you time!

Take away message: If you put anything on the web, make sure you protect it with a default ModSecurity / CRS WAF in front.

Christian Folini / [@ChrFolini]