A patch has been made available for OpenLiteSpeed Web Server and is available for download now.
Experts have warned that OpenLiteSpeed Web Server, a widely used open-source web server, has some very serious vulnerabilities. Researchers from Unit 42, the cybersecurity research division of Palo Alto Networks, pointed out that threat actors capable of exploiting these issues would have had fully privileged remote code execution capabilities.
The team discovered three high-severity flaws in OpenLiteSpeed Web Server, including CVE-2022-0073 (high-severity remote code execution flaw with a severity score of 8.8), CVE-2022- 0074 (a privilege escalation flaw with a severity score of 8.8), and CVE-2022-0072 (a directory traversal flaw with a medium severity of 5.8). The enterprise version of LiteSpeed Web Server was also affected by the flaws.
Unit 42 notified LiteSpeed Technologies of its findings, and the company fixed bugs and provided updated server builds with a warning to consumers to update their software immediately.
Organizations using LiteSPeed versions 5.4.6 to 6.0.11 and OpenLiteSpeed versions 1.5.11 to 1.7.16 are recommended to upgrade their endpoints (opens in a new tab) as soon as possible to versions 18.104.22.168 and 6.0.12. The LiteSpeed web server, which serves more than 2% of all web server applications and has nearly 1.9 million unique servers worldwide, is ranked sixth among web servers by unit 42.
Unit 42 believes that despite the positive outlook, vulnerabilities are continually being discovered due to rapid technical progress. Web servers have come a long way in terms of security and defense.
“We attempted to mimic an adversary’s actions and engaged in research with the goal of finding vulnerabilities and disclosing them to the vendor,” the researchers mention in a blog post.