Re: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request

[John Helmert III <jchelmert3 () posteo net>]

On Wed, Jun 09, 2021 at 11:11:00PM +0200, Christophe JAILLET wrote:
> CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request
>
> Severity: important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> 2.4.47
> httpd 
> Description:
> Apache HTTP Server 2.4.47
> Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size 
> limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions 
> and HTTP response is sent to the client with a status code indicating why the request was rejected.
>
> This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very 
> first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing 
> reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited 
> to DoS the server.
>
> This affected versions prior to 2.4.47

The announcement on the website indicates the affected versions for
CVE-2021-31618 are <2.4.48 and in the below table it indicates <=2.4.48
are affected. Both of these are different from the mail advisory, can
you clarify the affected versions, please?

> Mitigation:
> none
>
> Credit:
> Apache HTTP server would like to thank  LI ZHI XIN from NSFocus for reporting this.
>
> References:
> https://httpd.apache.org/security/vulnerabilities_24.html

Attachment: signature.asc
Description: