CVE-2021-26691: Apache HTTP Server mod_session response handling heap overflow
First published: Tue Jun 01 2021(Updated: )
A heap overflow flaw was found In Apache httpd mod_session. The highest threat from this vulnerability is to system availability.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jbcs-httpd24-apr | <0:1.6.3-107.el8 | 0:1.6.3-107.el8 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-84.el8 | 0:1.6.1-84.el8 |
| redhat/jbcs-httpd24-curl | <0:7.78.0-2.el8 | 0:7.78.0-2.el8 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-78.el8 | 0:2.4.37-78.el8 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-39.el8 | 0:1.39.2-39.el8 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1g-8.el8 | 1:1.1.1g-8.el8 |
| redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-7.el8 | 0:1.0.0-7.el8 |
| redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-22.el8 | 0:0.4.10-22.el8 |
| redhat/jbcs-httpd24-apr | <0:1.6.3-107.jbcs.el7 | 0:1.6.3-107.jbcs.el7 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-84.jbcs.el7 | 0:1.6.1-84.jbcs.el7 |
| redhat/jbcs-httpd24-curl | <0:7.78.0-2.jbcs.el7 | 0:7.78.0-2.jbcs.el7 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-78.jbcs.el7 | 0:2.4.37-78.jbcs.el7 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-39.jbcs.el7 | 0:1.39.2-39.jbcs.el7 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1g-8.jbcs.el7 | 1:1.1.1g-8.jbcs.el7 |
| redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-7.jbcs.el7 | 0:1.0.0-7.jbcs.el7 |
| redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-22.jbcs.el7 | 0:0.4.10-22.jbcs.el7 |
| redhat/httpd | <0:2.4.6-97.el7_9.4 | 0:2.4.6-97.el7_9.4 |
| Apache HTTP server | >=2.4.0<=2.4.46 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
| Oracle Instantis Enterprisetrack | =17.1 | |
| Oracle Instantis Enterprisetrack | =17.2 | |
| Oracle Instantis Enterprisetrack | =17.3 | |
| Oracle Secure Backup | <18.1.0.1.0 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| Netapp Cloud Backup |
Remedy
Only configurations which use the "SessionEnv" directive (which is not widely used) are vulnerable to this flaw. SessionEnv is not enabled in default configuration of httpd package shipped with Red Hat Products.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-26691 https://nvd.nist.gov/vuln/detail/CVE-2021-26691 https://httpd.apache.org/security/vulnerabilities_24.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1966732
- https://access.redhat.com/errata/RHSA-2021:4614
- https://access.redhat.com/errata/RHSA-2022:0143
- https://access.redhat.com/errata/RHSA-2021:3816
- https://access.redhat.com/errata/RHSA-2021:4613
- https://access.redhat.com/security/cve/cve-2021-26691
- http://httpd.apache.org/security/vulnerabilities_24.html
- http://www.openwall.com/lists/oss-security/2021/06/10/7
- https://lists.apache.org/thread.html/r50cae1b71f1e7421069036b213c26da7d8f47dd59874e3bd956959fe@%3Cannounce.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd@%3Cdev.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/
- https://security.gentoo.org/glsa/202107-38
- https://security.netapp.com/advisory/ntap-20210702-0001/
- https://www.debian.org/security/2021/dsa-4937
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/apache/httpd/commit/7e09dd714fc62c08c5b0319ed7b9702594faf49b
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1969233
- https://lists.apache.org/thread.html/r50cae1b71f1e7421069036b213c26da7d8f47dd59874e3bd956959fe%40%3Cannounce.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-26691?
CVE-2021-26691 is a heap overflow vulnerability in Apache httpd mod_session.
How does CVE-2021-26691 affect Apache HTTP Server?
CVE-2021-26691 affects Apache HTTP Server versions 2.4.0 to 2.4.46 and can cause a heap overflow when a specially crafted SessionHeader is sent by an origin server.
What is the severity of CVE-2021-26691?
CVE-2021-26691 has a severity rating of 9.8 (Critical).
How can I fix CVE-2021-26691?
To fix CVE-2021-26691, update your Apache HTTP Server to version 2.4.47 or higher.
Where can I find more information about CVE-2021-26691?
You can find more information about CVE-2021-26691 at the following references: [GitHub](https://github.com/apache/httpd/commit/7e09dd714fc62c08c5b0319ed7b9702594faf49b), [Red Hat Security Policy](https://access.redhat.com/support/policy/updates/jboss_notes), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1969233).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-26691
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/references
- agent/event
- agent/tags
- agent/description
- package-manager/redhat
- vendor/apache
- canonical/apache http server
- version/apache http server/2.4.0
- version/apache http server/2.4.46
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/oracle
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.4.0.0
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle secure backup
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- vendor/netapp
- canonical/netapp cloud backup