CVE-2021-31618

NULL pointer dereference on specially crafted HTTP/2 request

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released.

El administrador de protocolos del servidor HTTP Apache para el protocolo HTTP/2 comprueba las encabezados de las peticiones recibidas frente a las limitaciones de tamaño configuradas para el servidor y usadas también para el protocolo HTTP/1. En caso de violación de estas restricciones, se envía una respuesta HTTP al cliente con un código de estado indicando por qué se ha rechazado la petición. Esta respuesta de rechazo no se inicializaba completamente en el manejador del protocolo HTTP/2 si la cabecera infractora era la primera que se recibía o aparecía en un pie de página. Esto conllevaba una desviación del puntero NULL en la memoria inicializada, bloqueando de forma fiable el proceso hijo. Dado que desencadenar una petición HTTP/2 de este tipo es fácil de diseñar y enviar, esto puede ser explotado para hacer una DoS al servidor. Este problema afectaba únicamente a mod_http2 versión 1.15.17 y a la versión 2.4.47 del servidor HTTP de Apache. Apache HTTP Server versión 2.4.47 nunca fue liberado

*Credits: Apache HTTP server would like to thank LI ZHI XIN from NSFocus for reporting this.

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2021-04-23 CVE Reserved
2021-06-15 CVE Published
2024-08-03 CVE Updated
2024-09-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-476: NULL Pointer Dereference

CAPEC

References (13)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2021/06/10/9	Mailing List
http://www.openwall.com/lists/oss-security/2024/03/13/2	Mailing List
https://lists.apache.org/thread.html/r14b66ef0f4f569fd515a3f96cd4eb58bd9a8ff525cc326bb0359664f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r783b6558abf3305b17ea462bed4bd66d82866438999bf38cef6d11d1%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html	Mailing List
https://seclists.org/oss-sec/2021/q2/206	Mailing List
https://security.netapp.com/advisory/ntap-20210727-0008	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://www.oracle.com/security-alerts/cpuoct2021.html	2024-05-01

URL	Date	SRC
http://httpd.apache.org/security/vulnerabilities_24.html	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NKJ3ZA3FTSZ2QBBPKS6BYGAWYRABNQQ	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A73QJ4HPUMU26I6EULG6SCK67TUEXZYR	2024-05-01
https://security.gentoo.org/glsa/202107-38	2024-05-01
https://www.debian.org/security/2021/dsa-4937	2024-05-01

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				1.15.17 Search vendor "Apache" for product "Http Server" and version "1.15.17"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.47 Search vendor "Apache" for product "Http Server" and version "2.4.47"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager Ops Center Search vendor "Oracle" for product "Enterprise Manager Ops Center"				12.4.0.0 Search vendor "Oracle" for product "Enterprise Manager Ops Center" and version "12.4.0.0"		-		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				17.1 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.1"		-		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				17.2 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.2"		-		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				17.3 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.3"		-		Affected
Oracle Search vendor "Oracle"		Zfs Storage Appliance Kit Search vendor "Oracle" for product "Zfs Storage Appliance Kit"				8.8 Search vendor "Oracle" for product "Zfs Storage Appliance Kit" and version "8.8"		-		Affected