Ike.ninja

In the October 2021 survey we received responses from 1,179,448,021 sites across 265,426,928 unique domains and 11,388,826 web-facing computers. This reflects a loss of 8.59 million sites, but a gain of 1.07 million domains and 20,800 computers.

The number of unique domains powered by the nginx web server grew by 789,000 this month, which has increased its total to 79.5 million domains and its leading market share to 29.9%. Conversely, Apache lost 753,000 domains and saw its second-place share fall to 24.7%. Meanwhile, Cloudflare gained 746,000 domains – almost as many as nginx – but it stays in fourth place with an 8.15% share while OpenResty’s shrank slightly to 14.5%.

Cloudflare also made strong progress amongst the top million websites, where it increased its share by 0.24 percentage points to 18.2%. nginx is in second place with a 22.5% (+0.12pp) share but has closed the gap on Apache which still leads with 24.0% after losing 0.21pp.

Apache also continues to lead in terms of active sites, where it has a total of 48.0 million. However, it was the only major vendor to suffer a drop in this metric, with a loss of 277,000 active sites reducing its share down to 23.9% (-0.29pp). In terms of all sites, nginx lost the most (-9.99 million) but remains far in the lead with a total of 412 million.

Apache vulnerability being actively exploited in the wild

Apache 2.4.51 was released on 7 October. This is the latest release in the 2.4.x stable branch, which the developers consider to be the best available version of the Apache HTTP Server; but more importantly, this release fixes a path traversal vulnerability present in Apache 2.4.49 and 2.4.50. Apache 2.4.50 was itself released a day earlier in an attempt to fix the vulnerability present in 2.4.49, but the fix was found to be insufficient.

The vulnerability is being actively exploited in the wild, so anyone still running an unpatched Apache 2.4.49 or 2.4.50 installation should upgrade immediately. In some cases, the path traversal vulnerability could facilitate remote code execution on the web server.

Due to the nature of this vulnerability, some otherwise vulnerable installations may be immune to attack if a web application firewall (WAF) is in place, or if a frontend proxy or load balancer modifies malicious requests in a way that makes them safe. For instance, all vulnerable Apache installations served via the Cloudflare content delivery network would have been protected from the outset if Normalize URLS to origin were enabled, and the Cloudflare WAF has rules that would have stopped many exploit attempts.

Other vendor and hosting news

• During September, Microsoft released fixes for three elevation of privilege and one remote code execution vulnerabilities in the Open Management Infrastructure (OMI) framework, which is used by several Azure Virtual Machine management extensions. The remote code execution vulnerability can only affect customers using a Linux management solution with remote OMI enabled. A full list of the vulnerable extensions and update availability is being maintained on the Microsoft Security Response Center blog.
• Microsoft announced the general availability its Azure Purview data governance solution on 28 September.
• On 5 October, Microsoft removed the waiting list for its Azure NetApp Files bare-metal cloud file storage and data management service.
• lighttpd 1.4.60 was released on 3 October. This version includes a large number of changes, including several bugfixes and improved handling of HTTP/2 connections.
• LiteSpeed Web Server 6.0.9 was released on 20 September to address several bugs and add a new log rotation feature. OpenLiteSpeed 1.7.14 – the open source edition of LiteSpeed Web Server Enterprise – was released on 7 September.