CVE-2021-31618

Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:http_server:1.15.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.47:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

History

07 Nov 2023, 03:34

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A73QJ4HPUMU26I6EULG6SCK67TUEXZYR/', 'name': 'FEDORA-2021-181f29c392', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.apache.org/thread.html/r783b6558abf3305b17ea462bed4bd66d82866438999bf38cef6d11d1@%3Ccvs.httpd.apache.org%3E', 'name': '[httpd-cvs] 20210615 svn commit: r1075782 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_24.html', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/r14b66ef0f4f569fd515a3f96cd4eb58bd9a8ff525cc326bb0359664f@%3Ccvs.httpd.apache.org%3E', 'name': '[httpd-cvs] 20210615 svn commit: r1890801 - /httpd/site/trunk/content/security/json/CVE-2021-31618.json', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NKJ3ZA3FTSZ2QBBPKS6BYGAWYRABNQQ/', 'name': 'FEDORA-2021-051639aad4', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A73QJ4HPUMU26I6EULG6SCK67TUEXZYR/ -
  • () https://lists.apache.org/thread.html/r14b66ef0f4f569fd515a3f96cd4eb58bd9a8ff525cc326bb0359664f%40%3Ccvs.httpd.apache.org%3E -
  • () https://lists.apache.org/thread.html/r783b6558abf3305b17ea462bed4bd66d82866438999bf38cef6d11d1%40%3Ccvs.httpd.apache.org%3E -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NKJ3ZA3FTSZ2QBBPKS6BYGAWYRABNQQ/ -

10 Dec 2021, 17:05

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
References (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory

20 Oct 2021, 11:16

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -

20 Sep 2021, 13:52

Type Values Removed Values Added
CPE cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20210727-0008/ - Third Party Advisory
References (MLIST) https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html - (MLIST) https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html - Mailing List, Third Party Advisory
References (GENTOO) https://security.gentoo.org/glsa/202107-38 - (GENTOO) https://security.gentoo.org/glsa/202107-38 - Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2021/dsa-4937 - (DEBIAN) https://www.debian.org/security/2021/dsa-4937 - Third Party Advisory

30 Jul 2021, 14:15

Type Values Removed Values Added
References
  • (GENTOO) https://security.gentoo.org/glsa/202107-38 -

17 Jul 2021, 08:15

Type Values Removed Values Added
References
  • (DEBIAN) https://www.debian.org/security/2021/dsa-4937 -

09 Jul 2021, 12:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html -

24 Jun 2021, 15:18

Type Values Removed Values Added
CPE cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.47:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.15.17:*:*:*:*:*:*:*
References (MLIST) https://lists.apache.org/thread.html/r783b6558abf3305b17ea462bed4bd66d82866438999bf38cef6d11d1@%3Ccvs.httpd.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r783b6558abf3305b17ea462bed4bd66d82866438999bf38cef6d11d1@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A73QJ4HPUMU26I6EULG6SCK67TUEXZYR/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A73QJ4HPUMU26I6EULG6SCK67TUEXZYR/ - Mailing List, Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NKJ3ZA3FTSZ2QBBPKS6BYGAWYRABNQQ/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NKJ3ZA3FTSZ2QBBPKS6BYGAWYRABNQQ/ - Mailing List, Third Party Advisory
References (MISC) http://httpd.apache.org/security/vulnerabilities_24.html - (MISC) http://httpd.apache.org/security/vulnerabilities_24.html - Release Notes, Vendor Advisory
References (MLIST) http://www.openwall.com/lists/oss-security/2021/06/10/9 - (MLIST) http://www.openwall.com/lists/oss-security/2021/06/10/9 - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/r14b66ef0f4f569fd515a3f96cd4eb58bd9a8ff525cc326bb0359664f@%3Ccvs.httpd.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r14b66ef0f4f569fd515a3f96cd4eb58bd9a8ff525cc326bb0359664f@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory
References (MISC) https://seclists.org/oss-sec/2021/q2/206 - (MISC) https://seclists.org/oss-sec/2021/q2/206 - Mailing List, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 5.0
v3 : 7.5
CWE CWE-476

20 Jun 2021, 03:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A73QJ4HPUMU26I6EULG6SCK67TUEXZYR/ -
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NKJ3ZA3FTSZ2QBBPKS6BYGAWYRABNQQ/ -

15 Jun 2021, 22:15

Type Values Removed Values Added
References
  • (MLIST) http://www.openwall.com/lists/oss-security/2021/06/10/9 -

15 Jun 2021, 10:34

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/r783b6558abf3305b17ea462bed4bd66d82866438999bf38cef6d11d1@%3Ccvs.httpd.apache.org%3E -
  • (MLIST) https://lists.apache.org/thread.html/r14b66ef0f4f569fd515a3f96cd4eb58bd9a8ff525cc326bb0359664f@%3Ccvs.httpd.apache.org%3E -

15 Jun 2021, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-06-15 09:15

Updated : 2023-12-10 13:55


NVD link : CVE-2021-31618

Mitre link : CVE-2021-31618

CVE.ORG link : CVE-2021-31618


JSON object : View

Products Affected

debian

  • debian_linux

fedoraproject

  • fedora

oracle

  • instantis_enterprisetrack
  • zfs_storage_appliance_kit
  • enterprise_manager_ops_center

apache

  • http_server
CWE
CWE-476

NULL Pointer Dereference