CVE-2021-41524
Summary
| CVE | CVE-2021-41524 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-10-05 09:15:00 UTC |
| Updated | 2023-11-07 03:38:00 UTC |
| Description | While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project. |
Risk And Classification
Problem Types: CWE-476
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Http Server | 2.4.49 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Application | Netapp | Cloud Backup | - | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.1 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.2 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.3 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Apache HTTPD: Multiple Vulnerabilities (GLSA 202208-20) — Gentoo security | GENTOO | security.gentoo.org | |
| [SECURITY] Fedora 34 Update: httpd-2.4.50-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 35 Update: httpd-2.4.50-1.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Apache HTTP Server Vulnerabilties: October 2021 | CISCO | tools.cisco.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| October 2021 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| [SECURITY] Fedora 35 Update: httpd-2.4.50-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| oss-security - CVE-2021-41524: Apache HTTP Server: null pointer dereference in h2 fuzzing | MLIST | www.openwall.com | |
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project | MISC | httpd.apache.org | |
| FEDORA-2021-5d2d4b6ac5 | FEDORA | lists.fedoraproject.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Apache httpd team would like to thank LI ZHI XIN from NSFocus Security Team for reporting this issue.
Legacy QID Mappings
- 150403 Apache HTTP Server NULL pointer dereference (CVE-2021-31618,CVE-2021-41524)
- 150404 Apache HTTP Server NULL pointer dereference (CVE-2021-41524)
- 182107 Debian Security Update for apache2 (CVE-2021-41524)
- 240794 Red Hat Update for JBoss Core Services (RHSA-2022:7143)
- 281962 Fedora Security Update for httpd (FEDORA-2021-5d2d4b6ac5)
- 352857 Amazon Linux Security Advisory for httpd24: ALAS-2021-1543
- 352858 Amazon Linux Security Advisory for httpd: ALAS2-2021-1716
- 500023 Alpine Linux Security Update for apache2
- 503714 Alpine Linux Security Update for apache2
- 690017 Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (25b78bdd-25b8-11ec-a341-d4c9ef517024)
- 710595 Gentoo Linux Apache HTTPD Multiple Vulnerabilities (GLSA 202208-20)
- 87465 Apache Hypertext Transfer Protocol Server (HTTP Server) Path Traversal and Null Pointer Dereference Vulnerabilities
- 900394 Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (5961)