'Re: [oss-security] CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/
From:       Christophe JAILLET <christophe.jaillet () wanadoo ! fr>
Date:       2021-06-10 17:18:55
Message-ID: 8feb8989-3b53-a97a-4421-ef8e47cce53d () wanadoo ! fr
[Download RAW message or body]


Le 10/06/2021 à 16:38, John Helmert III a écrit :
> On Wed, Jun 09, 2021 at 11:11:00PM +0200, Christophe JAILLET wrote:
> > CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request
> > 
> > Severity: important
> > 
> > Vendor: The Apache Software Foundation
> > 
> > Versions Affected:
> > 2.4.47
> > httpd
> > Description:
> > Apache HTTP Server 2.4.47
> > Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers \
> > against the size limitations as configured for the server and used for the HTTP/1 protocol \
> > as well. On violation of these restrictions and HTTP response is sent to the client with a \
> > status code indicating why the request was rejected. 
> > This rejection response was not fully initialised in the HTTP/2 protocol handler if the \
> > offending header was the very first one received or appeared in a a footer. This led to a \
> > NULL pointer dereference on initialised memory, crashing reliably the child process. Since \
> > such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS \
> > the server. 
> > This affected versions prior to 2.4.47
> The announcement on the website indicates the affected versions for
> CVE-2021-31618 are <2.4.48 and in the below table it indicates <=2.4.48
> are affected. Both of these are different from the mail advisory, can
> you clarify the affected versions, please?

Hi,

in fact it was fixed in 2.4.47, BUT this version was never announced and 
has never been visible from the httpd.apache.org website.

So from an end-user point of view if was really fixed in 2.4.48 (and 
2.4.47 does not exist).

We'll clarify internally how we should proceed in such cases to avoid 
such questions.
The information should be consistent wherever you look for it.

Hope this clarify the situation.

Best regards,

CJ


> > Mitigation:
> > none
> > 
> > Credit:
> > Apache HTTP server would like to thank  LI ZHI XIN from NSFocus for reporting this.
> > 
> > References:
> > https://httpd.apache.org/security/vulnerabilities_24.html
> > 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic