CVE-2021-31618

Published: 15 June 2021

Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released.

Priority

Medium

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
Upstream
Released (2.4.46-5)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Patches:
Upstream: https://github.com/apache/httpd/commit/f990e5ecad40b100a8a5c7c1033c46044a9cb244
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1889759
Upstream: https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/h2_stream.c?r1=1889759&r2=1889758&pathrev=1889759

Notes

AuthorNote
mdeslaur
per upstream advisory, "This issue affected mod_http2 1.15.17
and Apache HTTP Server version 2.4.47 only. Apache HTTP Server
2.4.47 was never released."
seems introduced by:
https://github.com/apache/httpd/commit/a4fba223668c554e06bc78d6e3a88f33d4238ae4

Not sure the Debian patch in 2.4.46-5 is right, need to
investigate

References

Bugs