A patch has been made available for OpenLiteSpeed Web Server and can be downloaded now.
Experts have cautioned that OpenLiteSpeed Web Server, a widely used open source web server, was carrying a few high-severity vulnerabilities. Researchers from Unit 42, Palo Alto Networks’ cybersecurity research division, pointed out that threat actors who were able to exploit these issues would have had full privilege remote code execution capabilities.
The team discovered three high-severity flaws in OpenLiteSpeed Web Server, including CVE-2022-0073 (high-severity remote code execution fault with an 8.8 severity score), CVE-2022-0074 (privilege escalation flaw with an 8.8 severity score), and CVE-2022-0072 (a 5.8, medium-severity directory traversal flaw). The LiteSpeed Web Server enterprise version was similarly impacted by the flaws.
Unit 42 informed LiteSpeed Technologies of its discoveries, and the company fixed the bugs and provided updated server versions with a warning to consumers to update their software right away.
Organizations utilising LiteSPeed versions 5.4.6 – 6.0.11 and OpenLiteSpeed versions 1.5.11 – 1.7.16 are recommended to upgrade their endpoints(opens in new tab) as soon as feasible to 1.7.16.1 and 6.0.12. The LiteSpeed Web Server, which serves over 2% of all Web Server applications and has nearly 1.9 million unique servers worldwide, is ranked sixth among web servers by Unit 42.
Unit 42 believes that despite the positive outlook, vulnerabilities are continually being discovered due to the quick speed of technical advancement. Web servers have advanced significantly in terms of security and defences.
“We tried to imitate the actions of an adversary and engaged in research with the intention of finding vulnerabilities and disclosing them to the vendor,” the researchers mentions in a blog post.