>
OpenLiteSpeed Web Server, a globally popular open-source web server, had some very serious vulnerabilities, experts warn.
Threat actors who managed to exploit these flaws would have been given full privileges to execute remote code, noted researchers at Unit 42, the cybersecurity research arm of Palo Alto Networks.
The team discovered that OpenLiteSpeed Web Server contained three very serious vulnerabilities, namely CVE-2022-0073 (a severity score of 8.8, very serious remote code execution flaw), CVE-2022-0074 (a very serious escalation flaw) of 8.8), and CVE-2022-0072 (a 5.8, medium-severity directory traversal error). The vulnerabilities also affected the enterprise version, LiteSpeed Web Server.
Patch ready
Unit 42 notified LiteSpeed Technologies of its findings, which subsequently fixed the bugs and released new versions of the server, urging users to update their software immediately.
Organizations using OpenLiteSpeed versions 1.5.11 – 1.7.16, as well as LiteSPeed versions 5.4.6 – 6.0.11 are urged to include their endpoints (opens in new tab) to 1.7.16.1 and 6.0.12 as soon as possible.
According to Unit 42, the LiteSpeed Web Server is the sixth most popular web offering out there, serving approximately 2% of all Web Server applications, with nearly 1.9 million unique servers around the world.
“We tried to imitate an adversary’s actions and conducted research with the intent of finding vulnerabilities and revealing them to the supplier,” the researchers explained in a statement. blog post (opens in new tab).
“This research has resulted in finding three vulnerabilities that affect both the enterprise and open source solutions. These can be chained and exploited by an adversary who has the admin dashboard credentials to gain privileged code execution on vulnerable components.
Web servers have come a long way in terms of security and protection, Unit 42 concludes, adding that despite the optimistic outlook, vulnerabilities are still being found due to the rapid pace of technology evolution.