CVE-2021-44224
Summary
| CVE | CVE-2021-44224 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-12-20 12:15:00 UTC |
| Updated | 2023-11-07 03:39:00 UTC |
| Description | A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). |
Risk And Classification
Problem Types: CWE-476
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Http Server | All | All | All | All |
| Operating System | Apple | Macos | All | All | All | All |
| Operating System | Apple | Macos | 10.15.7 | All | All | All |
| Operating System | Apple | Macos | 10.15.7 | security_update_2020-001 | All | All |
| Operating System | Apple | Macos | 10.15.7 | security_update_2021-001 | All | All |
| Operating System | Apple | Macos | 10.15.7 | security_update_2021-002 | All | All |
| Operating System | Apple | Macos | 10.15.7 | security_update_2021-003 | All | All |
| Operating System | Apple | Macos | 10.15.7 | security_update_2021-004 | All | All |
| Operating System | Apple | Macos | 10.15.7 | security_update_2021-005 | All | All |
| Operating System | Apple | Macos | 10.15.7 | security_update_2021-006 | All | All |
| Operating System | Apple | Macos | 10.15.7 | security_update_2021-007 | All | All |
| Operating System | Apple | Macos | 10.15.7 | security_update_2021-008 | All | All |
| Operating System | Apple | Macos | 10.15.7 | security_update_2022-001 | All | All |
| Operating System | Apple | Macos | 10.15.7 | security_update_2022-002 | All | All |
| Operating System | Apple | Macos | 10.15.7 | security_update_2022-003 | All | All |
| Operating System | Apple | Mac Os X | 10.15.7 | All | All | All |
| Operating System | Apple | Mac Os X | 10.15.7 | security_update_2020-001 | All | All |
| Operating System | Apple | Mac Os X | 10.15.7 | security_update_2021-001 | All | All |
| Operating System | Apple | Mac Os X | 10.15.7 | security_update_2021-002 | All | All |
| Operating System | Apple | Mac Os X | 10.15.7 | security_update_2021-003 | All | All |
| Operating System | Apple | Mac Os X | 10.15.7 | security_update_2021-004 | All | All |
| Operating System | Apple | Mac Os X | 10.15.7 | security_update_2021-005 | All | All |
| Operating System | Apple | Mac Os X | 10.15.7 | security_update_2021-006 | All | All |
| Operating System | Apple | Mac Os X | 10.15.7 | security_update_2021-007 | All | All |
| Operating System | Apple | Mac Os X | 10.15.7 | security_update_2021-008 | All | All |
| Operating System | Apple | Mac Os X | 10.15.7 | security_update_2022-001 | All | All |
| Operating System | Apple | Mac Os X | 10.15.7 | security_update_2022-002 | All | All |
| Operating System | Apple | Mac Os X | 10.15.7 | security_update_2022-003 | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Operating System | Fedoraproject | Fedora | 36 | All | All | All |
| Application | Oracle | Communications Element Manager | All | All | All | All |
| Application | Oracle | Communications Operations Monitor | 4.0 | All | All | All |
| Application | Oracle | Communications Operations Monitor | 4.3 | All | All | All |
| Application | Oracle | Communications Operations Monitor | 4.4 | All | All | All |
| Application | Oracle | Communications Operations Monitor | 5.0 | All | All | All |
| Application | Oracle | Communications Session Report Manager | All | All | All | All |
| Application | Oracle | Communications Session Route Manager | All | All | All | All |
| Application | Oracle | Http Server | - | All | All | All |
| Application | Oracle | Http Server | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Http Server | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.1 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.2 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.3 | All | All | All |
| Application | Tenable | Tenable.sc | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project | MISC | httpd.apache.org | |
| Apache HTTPD: Multiple Vulnerabilities (GLSA 202208-20) — Gentoo security | GENTOO | security.gentoo.org | |
| [SECURITY] Fedora 36 Update: httpd-2.4.53-1.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| About the security content of macOS Big Sur 11.6.6 - Apple Support | CONFIRM | support.apple.com | |
| Full Disclosure: APPLE-SA-2022-05-16-2 macOS Monterey 12.4 | FULLDISC | seclists.org | |
| About the security content of macOS Monterey 12.4 - Apple Support | CONFIRM | support.apple.com | |
| [R1] Tenable.sc 5.20.0 Fixes Multiple Vulnerabilities - Security Advisory | Tenable® | CONFIRM | www.tenable.com | |
| Oracle Critical Patch Update Advisory - April 2022 | MISC | www.oracle.com | |
| oss-security - CVE-2021-44224: Apache HTTP Server: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier | MLIST | www.openwall.com | |
| [SECURITY] Fedora 34 Update: httpd-2.4.53-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Debian -- Security Information -- DSA-5035-1 apache2 | DEBIAN | www.debian.org | |
| About the security content of Security Update 2022-004 Catalina - Apple Support | CONFIRM | support.apple.com | |
| [SECURITY] Fedora 35 Update: httpd-2.4.53-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1: Patch 202201.1 - Security Advisory | Tenable® | CONFIRM | www.tenable.com | |
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| [SECURITY] Fedora 36 Update: httpd-2.4.53-1.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Full Disclosure: APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6 | FULLDISC | seclists.org | |
| [SECURITY] Fedora 34 Update: httpd-2.4.53-1.fc34 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: httpd-2.4.52-1.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Full Disclosure: APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina | FULLDISC | seclists.org | |
| [SECURITY] Fedora 35 Update: httpd-2.4.53-1.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| December 2021 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| [SECURITY] Fedora 35 Update: httpd-2.4.52-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: 漂亮鼠
LEGACY: TengMA(@Te3t123)
Legacy QID Mappings
- 150456 Apache HTTP Server NULL pointer dereference and Server Side Request Forgery (SSRF) Vulnerability (CVE-2021-44224)
- 159811 Oracle Enterprise Linux Security Update for httpd:2.4 (ELSA-2022-1915)
- 178985 Debian Security Update for apache2 (DSA 5035-1)
- 179048 Debian Security Update for apache2 (DLA 2907-1)
- 182652 Debian Security Update for apache2 (CVE-2021-44224)
- 198620 Ubuntu Security Notification for Apache Hypertext Transfer Protocol (HTTP) Server Vulnerabilities (USN-5212-1)
- 240307 Red Hat Update for httpd:2.4 (RHSA-2022:1915)
- 240698 Red Hat Update for httpd24-httpd (RHSA-2022:6753)
- 240794 Red Hat Update for JBoss Core Services (RHSA-2022:7143)
- 282186 Fedora Security Update for httpd (FEDORA-2021-29a536c2ae)
- 282500 Fedora Security Update for httpd (FEDORA-2022-b4103753e9)
- 282521 Fedora Security Update for httpd (FEDORA-2022-21264ec6db)
- 296061 Oracle Solaris 11.4 Support Repository Update (SRU) 42.113.1 Missing (CPUJAN2022)
- 353114 Amazon Linux Security Advisory for httpd24 : ALAS-2022-1560
- 353126 Amazon Linux Security Advisory for httpd : ALAS2-2022-1737
- 354343 Amazon Linux Security Advisory for httpd : ALAS2022-2022-018
- 354482 Amazon Linux Security Advisory for httpd : ALAS2022-2022-202
- 354577 Amazon Linux Security Advisory for httpd : ALAS2022-2022-202
- 355264 Amazon Linux Security Advisory for httpd : ALAS2023-2023-072
- 376550 Oracle Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities (CPUAPR2022)
- 376607 Apple macOS Security Update 2022-004 Catalina (HT213255)
- 376608 Apple MacOS Big Sur 11.6.6 Not Installed (HT213256)
- 376612 Apple macOS Monterey 12.4 Not Installed (HT213257)
- 378371 IBM Hypertext Transfer Protocol (HTTP) Server Multiple Vulnerabilities (6540288)
- 500025 Alpine Linux Security Update for apache2
- 503716 Alpine Linux Security Update for apache2
- 671368 EulerOS Security Update for httpd (EulerOS-SA-2022-1306)
- 671389 EulerOS Security Update for httpd (EulerOS-SA-2022-1290)
- 671419 EulerOS Security Update for httpd (EulerOS-SA-2022-1349)
- 671509 EulerOS Security Update for httpd (EulerOS-SA-2022-1488)
- 671515 EulerOS Security Update for httpd (EulerOS-SA-2022-1507)
- 690751 Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (ca982e2d-61a9-11ec-8be6-d4c9ef517024)
- 710595 Gentoo Linux Apache HTTPD Multiple Vulnerabilities (GLSA 202208-20)
- 730313 Apache Hypertext Transfer Protocol (HTTP) Server NULL Pointer Dereference and Server Side Request Forgery (SSRF) Vulnerability
- 751596 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:0065-1)
- 751604 OpenSUSE Security Update for apache2 (openSUSE-SU-2022:0091-1)
- 751606 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:0119-1)
- 751711 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:0440-1)
- 752001 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:0091-1)
- 753104 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:0091-2)
- 900352 Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (7034)
- 901448 Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (7043-1)
- 940509 AlmaLinux Security Update for httpd:2.4 (ALSA-2022:1915)
- 960327 Rocky Linux Security Update for httpd:2.4 (RLSA-2022:1915)