Vulnerability Description
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | 1.15.17 |
| Fedoraproject | Fedora | 33 |
| Debian | Debian Linux | 9.0 |
| Oracle | Enterprise Manager Ops Center | 12.4.0.0 |
| Oracle | Instantis Enterprisetrack | 17.1 |
| Oracle | Zfs Storage Appliance Kit | 8.8 |
Related Weaknesses (CWE)
References
- http://httpd.apache.org/security/vulnerabilities_24.htmlRelease NotesVendor Advisory
- http://www.openwall.com/lists/oss-security/2021/06/10/9Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2024/03/13/2
- https://lists.apache.org/thread.html/r14b66ef0f4f569fd515a3f96cd4eb58bd9a8ff525c
- https://lists.apache.org/thread.html/r783b6558abf3305b17ea462bed4bd66d8286643899
- https://lists.debian.org/debian-lts-announce/2021/07/msg00006.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://seclists.org/oss-sec/2021/q2/206Mailing ListThird Party Advisory
- https://security.gentoo.org/glsa/202107-38Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210727-0008/Third Party Advisory
- https://www.debian.org/security/2021/dsa-4937Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- http://httpd.apache.org/security/vulnerabilities_24.htmlRelease NotesVendor Advisory
- http://www.openwall.com/lists/oss-security/2021/06/10/9Mailing ListThird Party Advisory
FAQ
What is CVE-2021-31618?
CVE-2021-31618 is a vulnerability with a CVSS score of 7.5 (HIGH). Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On viola...
How severe is CVE-2021-31618?
CVE-2021-31618 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-31618?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Fedoraproject Fedora, Debian Debian Linux, Oracle Enterprise Manager Ops Center, Oracle Instantis Enterprisetrack.