CVE-2021-31618
Summary
| CVE | CVE-2021-31618 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-06-15 09:15:00 UTC |
| Updated | 2023-11-07 03:34:00 UTC |
| Description | Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released. |
Risk And Classification
Problem Types: CWE-476
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Http Server | 1.15.17 | All | All | All |
| Application | Apache | Http Server | 2.4.47 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Application | Oracle | Enterprise Manager Ops Center | 12.4.0.0 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.1 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.2 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.3 | All | All | All |
| Application | Oracle | Zfs Storage Appliance Kit | 8.8 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project | MISC | httpd.apache.org | |
| [SECURITY] Fedora 34 Update: mod_http2-1.15.19-1.fc34 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 34 Update: mod_http2-1.15.19-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [httpd-cvs] 20210615 svn commit: r1890801 - /httpd/site/trunk/content/security/json/CVE-2021-31618.json | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - October 2021 | MISC | www.oracle.com | |
| Debian -- Security Information -- DSA-4937-1 apache2 | DEBIAN | www.debian.org | |
| [SECURITY] Fedora 33 Update: mod_http2-1.15.19-1.fc33 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] [DLA 2706-1] apache2 security update | MLIST | lists.debian.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Apache: Multiple vulnerabilities (GLSA 202107-38) — Gentoo security | GENTOO | security.gentoo.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| CVE-2021-31618 Apache HTTP Server Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| oss-security - CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request | MLIST | www.openwall.com | |
| [httpd-cvs] 20210615 svn commit: r1075782 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_24.html | lists.apache.org | ||
| oss-sec: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request | MISC | seclists.org | |
| [SECURITY] Fedora 33 Update: mod_http2-1.15.19-1.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Apache HTTP server would like to thank LI ZHI XIN from NSFocus for reporting this.
Legacy QID Mappings
- 150403 Apache HTTP Server NULL pointer dereference (CVE-2021-31618)
- 178699 Debian Security Update for apache2 (DSA 4937-1)
- 178701 Debian Security Update for apache2 (DLA 2706-1)
- 180247 Debian Security Update for apache2 (CVE-2021-31618)
- 239451 Red Hat Update for Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 (RHSA-2021:2472)
- 281653 Fedora Security Update for mod_http2 (FEDORA-2021-181f29c392)
- 281654 Fedora Security Update for mod_http2 (FEDORA-2021-051639aad4)
- 296053 Oracle Solaris 11.4 Support Repository Update (SRU) 35.94.4 Missing (CPUJUL2021)
- 352395 Amazon Linux Security Advisory for httpd: ALAS2-2021-1659
- 352406 Amazon Linux Security Advisory for httpd: ALAS2-2021-1672
- 352458 Amazon Linux Security Advisory for mod_http2: ALAS2-2021-1678
- 500021 Alpine Linux Security Update for apache2
- 503712 Alpine Linux Security Update for apache2
- 690107 Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (cce76eca-ca16-11eb-9b84-d4c9ef517024)
- 710030 Gentoo Linux Apache Multiple vulnerabilities (GLSA 202107-38)
- 730108 Apache HTTP Server Denial of Service Vulnerability
- 730109 Apache HTTP Server Multiple Vulnerabilities
- 750660 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2021:2004-1)
- 750662 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2021:2006-1)
- 750719 OpenSUSE Security Update for apache2 (openSUSE-SU-2021:0908-1)
- 750813 OpenSUSE Security Update for apache2 (openSUSE-SU-2021:2127-1)