Helping Apache Servers stay safe from zero-day path traversal attacks (CVE-2021-41773)

On September 29, 2021, a path traversal vulnerability (CVE-2021-41773) was discovered in Apache HTTP Server version 2.4.49, which could allow an attacker to compromise the web server via remote code execution or access sensitive files. The issue has been patched with updates to versions 2.4.50 and 2.4.51. Customers using affected versions should update immediately. Cloudflare's Web Application Firewall (WAF) provides additional protection against this vulnerability by enabling rules with specific IDs. The flaw leverages missing path normalization logic, allowing attackers to access any file on the file system accessible by the Apache process. Exploit attempts have been observed since October 5, primarily probing for static file paths.