CVE-2021-44790

Summary

CVE	CVE-2021-44790
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-12-20 12:15:00 UTC
Updated	2023-11-07 03:39:00 UTC
Description	A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

Risk And Classification

Problem Types: CWE-787

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Http Server	All	All	All	All
Operating System	Apple	Macos	All	All	All	All
Operating System	Apple	Macos	10.15.7	security_update_2020-001	All	All
Operating System	Apple	Macos	10.15.7	security_update_2021-001	All	All
Operating System	Apple	Macos	10.15.7	security_update_2021-002	All	All
Operating System	Apple	Macos	10.15.7	security_update_2021-003	All	All
Operating System	Apple	Macos	10.15.7	security_update_2021-004	All	All
Operating System	Apple	Macos	10.15.7	security_update_2021-005	All	All
Operating System	Apple	Macos	10.15.7	security_update_2021-006	All	All
Operating System	Apple	Macos	10.15.7	security_update_2021-007	All	All
Operating System	Apple	Macos	10.15.7	security_update_2021-008	All	All
Operating System	Apple	Macos	10.15.7	security_update_2022-001	All	All
Operating System	Apple	Macos	10.15.7	security_update_2022-002	All	All
Operating System	Apple	Macos	10.15.7	security_update_2022-003	All	All
Operating System	Apple	Mac Os X	10.15.7	security_update_2020-001	All	All
Operating System	Apple	Mac Os X	10.15.7	security_update_2021-001	All	All
Operating System	Apple	Mac Os X	10.15.7	security_update_2021-002	All	All
Operating System	Apple	Mac Os X	10.15.7	security_update_2021-003	All	All
Operating System	Apple	Mac Os X	10.15.7	security_update_2021-004	All	All
Operating System	Apple	Mac Os X	10.15.7	security_update_2021-005	All	All
Operating System	Apple	Mac Os X	10.15.7	security_update_2021-006	All	All
Operating System	Apple	Mac Os X	10.15.7	security_update_2021-007	All	All
Operating System	Apple	Mac Os X	10.15.7	security_update_2021-008	All	All
Operating System	Apple	Mac Os X	10.15.7	security_update_2022-001	All	All
Operating System	Apple	Mac Os X	10.15.7	security_update_2022-002	All	All
Operating System	Apple	Mac Os X	10.15.7	security_update_2022-003	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Operating System	Fedoraproject	Fedora	36	All	All	All
Application	Netapp	Cloud Backup	-	All	All	All
Application	Oracle	Communications Element Manager	All	All	All	All
Application	Oracle	Communications Operations Monitor	4.3	All	All	All
Application	Oracle	Communications Operations Monitor	4.4	All	All	All
Application	Oracle	Communications Operations Monitor	5.0	All	All	All
Application	Oracle	Communications Session Report Manager	All	All	All	All
Application	Oracle	Communications Session Route Manager	All	All	All	All
Application	Oracle	Http Server	12.2.1.3.0	All	All	All
Application	Oracle	Http Server	12.2.1.4.0	All	All	All
Application	Oracle	Instantis Enterprisetrack	17.1	All	All	All
Application	Oracle	Instantis Enterprisetrack	17.2	All	All	All
Application	Oracle	Instantis Enterprisetrack	17.3	All	All	All
Application	Oracle	Zfs Storage Appliance Kit	8.8	All	All	All
Application	Tenable	Tenable.sc	All	All	All	All

References

Reference	Source	Link	Tags
Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project	MISC	httpd.apache.org
Apache HTTPD: Multiple Vulnerabilities (GLSA 202208-20) — Gentoo security	GENTOO	security.gentoo.org
[SECURITY] Fedora 36 Update: httpd-2.4.53-1.fc36 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
About the security content of macOS Big Sur 11.6.6 - Apple Support	CONFIRM	support.apple.com
Full Disclosure: APPLE-SA-2022-05-16-2 macOS Monterey 12.4	FULLDISC	seclists.org
About the security content of macOS Monterey 12.4 - Apple Support	CONFIRM	support.apple.com
oss-security - CVE-2021-44790: Apache HTTP Server: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier	MLIST	www.openwall.com
[R1] Tenable.sc 5.20.0 Fixes Multiple Vulnerabilities - Security Advisory \| Tenable®	CONFIRM	www.tenable.com
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
[SECURITY] Fedora 34 Update: httpd-2.4.53-1.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Apache 2.4.x Buffer Overflow ≈ Packet Storm	MISC	packetstormsecurity.com
Debian -- Security Information -- DSA-5035-1 apache2	DEBIAN	www.debian.org
About the security content of Security Update 2022-004 Catalina - Apple Support	CONFIRM	support.apple.com
[SECURITY] Fedora 35 Update: httpd-2.4.53-1.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[R1] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1: Patch 202201.1 - Security Advisory \| Tenable®	CONFIRM	www.tenable.com
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
[SECURITY] Fedora 36 Update: httpd-2.4.53-1.fc36 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Full Disclosure: APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6	FULLDISC	seclists.org
[SECURITY] Fedora 34 Update: httpd-2.4.53-1.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 35 Update: httpd-2.4.52-1.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Full Disclosure: APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina	FULLDISC	seclists.org
[SECURITY] Fedora 35 Update: httpd-2.4.53-1.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
December 2021 Apache HTTP Server Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
[SECURITY] Fedora 35 Update: httpd-2.4.52-1.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Chamal

LEGACY: Anonymous working with Trend Micro Zero Day Initiative

Legacy QID Mappings

150462 Apache HTTP Server Buffer Overflow Vulnerability (CVE-2021-44790)
159594 Oracle Enterprise Linux Security Update for httpd (ELSA-2022-0143)
159602 Oracle Enterprise Linux Security Update for httpd:2.4 (ELSA-2022-0258)
178985 Debian Security Update for apache2 (DSA 5035-1)
179048 Debian Security Update for apache2 (DLA 2907-1)
184936 Debian Security Update for apache2 (CVE-2021-44790)
198620 Ubuntu Security Notification for Apache Hypertext Transfer Protocol (HTTP) Server Vulnerabilities (USN-5212-1)
240007 Red Hat Update for httpd (RHSA-2022:0143)
240038 Red Hat Update for httpd:2.4 (RHSA-2022:0258)
240041 Red Hat Update for httpd24-httpd (RHSA-2022:0303)
240426 Red Hat Update for httpd:2.4 (RHSA-2022:0288)
257148 CentOS Security Update for httpd (CESA-2022:0143)
282186 Fedora Security Update for httpd (FEDORA-2021-29a536c2ae)
282500 Fedora Security Update for httpd (FEDORA-2022-b4103753e9)
282521 Fedora Security Update for httpd (FEDORA-2022-21264ec6db)
296061 Oracle Solaris 11.4 Support Repository Update (SRU) 42.113.1 Missing (CPUJAN2022)
353114 Amazon Linux Security Advisory for httpd24 : ALAS-2022-1560
353126 Amazon Linux Security Advisory for httpd : ALAS2-2022-1737
354343 Amazon Linux Security Advisory for httpd : ALAS2022-2022-018
354482 Amazon Linux Security Advisory for httpd : ALAS2022-2022-202
354577 Amazon Linux Security Advisory for httpd : ALAS2022-2022-202
355264 Amazon Linux Security Advisory for httpd : ALAS2023-2023-072
376607 Apple macOS Security Update 2022-004 Catalina (HT213255)
376608 Apple MacOS Big Sur 11.6.6 Not Installed (HT213256)
376612 Apple macOS Monterey 12.4 Not Installed (HT213257)
377218 Alibaba Cloud Linux Security Update for httpd (ALINUX2-SA-2022:0004)
377378 Alibaba Cloud Linux Security Update for httpd:2.4 (ALINUX3-SA-2022:0017)
378371 IBM Hypertext Transfer Protocol (HTTP) Server Multiple Vulnerabilities (6540288)
500025 Alpine Linux Security Update for apache2
503716 Alpine Linux Security Update for apache2
590870 Mitsubishi Electric MELSOFT iQ AppPortal Multiple Vulnerabilities (ICSA-22-132-02)
671368 EulerOS Security Update for httpd (EulerOS-SA-2022-1306)
671389 EulerOS Security Update for httpd (EulerOS-SA-2022-1290)
671402 EulerOS Security Update for httpd (EulerOS-SA-2022-1326)
671419 EulerOS Security Update for httpd (EulerOS-SA-2022-1349)
671509 EulerOS Security Update for httpd (EulerOS-SA-2022-1488)
671515 EulerOS Security Update for httpd (EulerOS-SA-2022-1507)
671659 EulerOS Security Update for httpd (EulerOS-SA-2022-1730)
690751 Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (ca982e2d-61a9-11ec-8be6-d4c9ef517024)
710595 Gentoo Linux Apache HTTPD Multiple Vulnerabilities (GLSA 202208-20)
730312 Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability
751596 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:0065-1)
751604 OpenSUSE Security Update for apache2 (openSUSE-SU-2022:0091-1)
751606 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:0119-1)
751711 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:0440-1)
752001 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:0091-1)
753104 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:0091-2)
900337 Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (7035)
901425 Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (7044-1)
940438 AlmaLinux Security Update for httpd:2.4 (ALSA-2022:0258)
960730 Rocky Linux Security Update for httpd:2.4 (RLSA-2022:0258)