https://httpd.apache.org/security/vulnerabilities_24.html

[oss-security] 20211005 CVE-2021-41524: Apache HTTP Server: null pointer dereference in h2 fuzzing

FEDORA-2021-5d2d4b6ac5

20211007 Apache HTTP Server Vulnerabilties: October 2021

https://security.netapp.com/advisory/ntap-20211029-0009/

FEDORA-2021-f94985afca

The version of httpd24 installed on the remote host is prior to 2.4.51-1.94. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2021-1543 advisory.

  - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead     to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
    (CVE-2021-33193)

  - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP     Server 2.4.48 and earlier. (CVE-2021-34798)

  - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and     crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)

  - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules     pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache     HTTP Server 2.4.48 and earlier. (CVE-2021-39275)

  - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the     remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)

  - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request     processing, allowing an external source to DoS the server. This requires a specially crafted request. The     vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.
    (CVE-2021-41524)

  - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could     use a path traversal attack to map URLs to files outside the directories configured by Alias-like     directives. If files outside of these directories are not protected by the usual default configuration     require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased     pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This     issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found     to be incomplete, see CVE-2021-42013. (CVE-2021-41773)

  - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker     could use a path traversal attack to map URLs to files outside the directories configured by Alias-like     directives. If files outside of these directories are not protected by the usual default configuration     require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased     pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache     2.4.50 and not earlier versions. (CVE-2021-42013)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of httpd installed on the remote host is prior to 2.4.51-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1716 advisory.

  - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead     to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
    (CVE-2021-33193)

  - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP     Server 2.4.48 and earlier. (CVE-2021-34798)

  - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and     crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)

  - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules     pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache     HTTP Server 2.4.48 and earlier. (CVE-2021-39275)

  - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the     remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)

  - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request     processing, allowing an external source to DoS the server. This requires a specially crafted request. The     vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.
    (CVE-2021-41524)

  - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could     use a path traversal attack to map URLs to files outside the directories configured by Alias-like     directives. If files outside of these directories are not protected by the usual default configuration     require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased     pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This     issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found     to be incomplete, see CVE-2021-42013. (CVE-2021-41773)

  - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker     could use a path traversal attack to map URLs to files outside the directories configured by Alias-like     directives. If files outside of these directories are not protected by the usual default configuration     require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased     pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache     2.4.50 and not earlier versions. (CVE-2021-42013)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Apache http server project reports :

- moderate: NULL pointer dereference in h2 fuzzing (CVE-2021-41524)

- important: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)

According to its banner, the version of Apache running on the remote host is 2.4.49. It is, therefore, affected by multiple vulnerabilities:

 - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project. (CVE-2021-41524)

 - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by require all denied these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. (CVE-2021-41773) Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache httpd installed on the remote host is 2.4.49. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.50 advisory.

  - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request     processing, allowing an external source to DoS the server. This requires a specially crafted request. The     vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.
    (CVE-2021-41524)

  - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could     use a path traversal attack to map URLs to files outside the expected document root. If files outside of     the document root are not protected by require all denied these requests can succeed. Additionally this     flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in     the wild. This issue only affects Apache 2.4.49 and not earlier versions. (CVE-2021-41773)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
154188	Amazon Linux AMI : httpd24 (ALAS-2021-1543)	Nessus	Amazon Linux Local Security Checks	critical
154179	Amazon Linux 2 : httpd (ALAS-2021-1716)	Nessus	Amazon Linux Local Security Checks	critical
153894	FreeBSD : Apache httpd -- Multiple vulnerabilities (25b78bdd-25b8-11ec-a341-d4c9ef517024)	Nessus	FreeBSD Local Security Checks	high
113014	Apache 2.4.49 < 2.4.50 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
153884	Apache 2.4.49 < 2.4.50 Multiple Vulnerabilities	Nessus	Web Servers	high

CVE-2021-41524

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

critical

high

high

high