CVE-2021-31618
Description
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
38<=2.4.47+ 1 more
- (no CPE)range: <=2.4.47
- (no CPE)range: 2.4.47
- osv-coords35 versionspkg:bitnami/apachepkg:rpm/opensuse/apache2&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/apache2&distro=openSUSE%20Leap%2015.3pkg:rpm/suse/apache2&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/apache2&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/apache2&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/apache2&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/apache2&distro=SUSE%20Manager%20Server%204.0pkg:rpm/suse/apache2&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/apache2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/apache2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/apache2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
>= 1.15.17, < 1.15.18+ 34 more
- (no CPE)range: >= 1.15.17, < 1.15.18
- (no CPE)range: < 2.4.43-lp152.2.15.1
- (no CPE)range: < 2.4.43-3.22.1
- (no CPE)range: < 2.4.23-29.74.1
- (no CPE)range: < 2.4.33-3.50.1
- (no CPE)range: < 2.4.33-3.50.1
- (no CPE)range: < 2.4.33-3.50.1
- (no CPE)range: < 2.4.33-3.50.1
- (no CPE)range: < 2.4.33-3.50.1
- (no CPE)range: < 2.4.43-3.22.1
- (no CPE)range: < 2.4.43-3.22.1
- (no CPE)range: < 2.4.43-3.22.1
- (no CPE)range: < 2.4.43-3.22.1
- (no CPE)range: < 2.4.43-3.22.1
- (no CPE)range: < 2.4.23-29.74.1
- (no CPE)range: < 2.4.23-29.74.1
- (no CPE)range: < 2.4.23-29.74.1
- (no CPE)range: < 2.4.23-29.74.1
- (no CPE)range: < 2.4.23-29.74.1
- (no CPE)range: < 2.4.33-3.50.1
- (no CPE)range: < 2.4.33-3.50.1
- (no CPE)range: < 2.4.33-3.50.1
- (no CPE)range: < 2.4.23-29.74.1
- (no CPE)range: < 2.4.23-29.74.1
- (no CPE)range: < 2.4.23-29.74.1
- (no CPE)range: < 2.4.33-3.50.1
- (no CPE)range: < 2.4.33-3.50.1
- (no CPE)range: < 2.4.23-29.74.1
- (no CPE)range: < 2.4.33-3.50.1
- (no CPE)range: < 2.4.33-3.50.1
- (no CPE)range: < 2.4.33-3.50.1
- (no CPE)range: < 2.4.23-29.74.1
- (no CPE)range: < 2.4.23-29.74.1
- (no CPE)range: < 2.4.23-29.74.1
- (no CPE)range: < 2.4.23-29.74.1
Patches
Vulnerability mechanics
References
13- www.oracle.com/security-alerts/cpuoct2021.htmlnvdPatchThird Party Advisory
- httpd.apache.org/security/vulnerabilities_24.htmlnvdRelease NotesVendor Advisory
- www.openwall.com/lists/oss-security/2021/06/10/9nvdMailing ListThird Party Advisory
- lists.debian.org/debian-lts-announce/2021/07/msg00006.htmlnvdMailing ListThird Party Advisory
- seclists.org/oss-sec/2021/q2/206nvdMailing ListThird Party Advisory
- security.gentoo.org/glsa/202107-38nvdThird Party Advisory
- security.netapp.com/advisory/ntap-20210727-0008/nvdThird Party Advisory
- www.debian.org/security/2021/dsa-4937nvdThird Party Advisory
- www.openwall.com/lists/oss-security/2024/03/13/2nvd
- lists.apache.org/thread.html/r14b66ef0f4f569fd515a3f96cd4eb58bd9a8ff525cc326bb0359664f%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r783b6558abf3305b17ea462bed4bd66d82866438999bf38cef6d11d1%40%3Ccvs.httpd.apache.org%3Envd
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NKJ3ZA3FTSZ2QBBPKS6BYGAWYRABNQQ/nvd
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A73QJ4HPUMU26I6EULG6SCK67TUEXZYR/nvd
News mentions
0No linked articles in our index yet.