oss-sec mailing list archives
Re: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request
From: John Helmert III <jchelmert3 () posteo net>
Date: Thu, 10 Jun 2021 14:38:14 +0000
On Wed, Jun 09, 2021 at 11:11:00PM +0200, Christophe JAILLET wrote:
CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request Severity: important Vendor: The Apache Software Foundation Versions Affected: 2.4.47 httpd Description: Apache HTTP Server 2.4.47 Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This affected versions prior to 2.4.47
The announcement on the website indicates the affected versions for CVE-2021-31618 are <2.4.48 and in the below table it indicates <=2.4.48 are affected. Both of these are different from the mail advisory, can you clarify the affected versions, please?
Mitigation: none Credit: Apache HTTP server would like to thank LI ZHI XIN from NSFocus for reporting this. References: https://httpd.apache.org/security/vulnerabilities_24.html
Attachment:
signature.asc
Description:
Current thread:
- CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request Christophe JAILLET (Jun 10)
- Re: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request John Helmert III (Jun 10)
- Re: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request Christophe JAILLET (Jun 10)
- Re: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request John Helmert III (Jun 10)