Update from October 6, 2021 – Apache released an update which fixes a critical rated Directory traversal and RCE exploit found in Apache Airflow Server version 2.4.49 (CVE-2021-41773), as well as version 2.4.50 (CVE-2021-42013). The latest version, 2.4.51 (CVE-2021-40438) fixes these vulnerabilities. Apache recommends upgrading your server to the latest version immediately. Click on this link for further details.

If you can’t update your server immediately, Avertium recommends creating a temporary firewall rule that prevents requests which include a=proxy:unix.


Overview of Apache Airflow Server Vulnerabilities 

On October 4, 2021, researchers from Intezer published details about two Apache Airflow Server vulnerabilities – a path traversal and file disclosure flaw in its HTTP server. The zero-day vulnerabilities are being tracked as CVE-2021-41773 and allow attackers to map URLs to files outside the expected document root by launching a path traversal attack.

A path traversal attack means threat actors gain access to the backend or sensitive server directories by sending unauthorized requests that should be inaccessible. Typically, the requests are blocked, but not when the filters are bypassed by using encoded characters (ASCII) for the URLs. Additionally, the path traversal flaw allows the source of interpreted files to be leaked. Companies like Slack, PayPal, and Klarna have already had sensitive information and credentials leaked due to this misconfiguration flaw.

According to Intezer, insecure coding practices are responsible for the data and credential leaks. For example, Intezer found hardcoded passwords inside Python DAG (Directed Acyclic Graph) code. Intezer’s researchers made it clear that passwords should not be hardcoded, and protection is not guaranteed - even if you believe the application is firewalled off to the internet.

So far, there are over a hundred thousand Apache Airflow servers online that are susceptible to this attack. The Apache Software Foundation released the patched version (2.4.50) on October 4, 2021. If you have Apache Airflow and have not patched, please patch your server now. Not doing so could result in your organization accidentally leaking sensitive information (credentials, sensitive data, etc.).


How Avertium is Protecting Our Clients

  • Avertium offers EDR and MDR services to help prevent your organization from becoming a victim to this kind of attack.

  • If a customer has an Apache Airflow server, we can help with patching and threat hunting.

  • Contact your SDM for more information.

Recommendations for CVE-2021-41773

  • Patch and update your server to The Apache Software Foundation’s latest version 4.50.

Indicators of compromise (iocs) for CVE-2021-41773

  • URL Traversal String - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts


Apache Warns of Zero-Day Exploit in the Wild — Patch Your Web Servers Now! (thehackernews.com)

Cve: CVE-2021-41773 - AlienVault - Open Threat Exchange

Misconfigured Apache Airflow servers leak thousands of credentials (bleepingcomputer.com)

Apache fixes zero-day vulnerability exploited in the wild, patch now (bleepingcomputer.com)

Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project

GitHub - numanturle/CVE-2021-41773: CVE-2021-41773


Catch up on our latest flash notices: CRITICAL VMWARE VCENTER SERVER FLAW

Chat With One of Our Experts

Server vulnerabilities vulnerability management server flaw Apache Airflow Zero-Day Vulnerability Blog