CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request
First published: Fri Jun 04 2021(Updated: )
A null pointer de-reference was found in the way httpd handled specially crafted HTTP/2 request. A remote attacker could use this flaw to crash the httpd child process, causing temporary denial of service.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/http | <2.4.48 | 2.4.48 |
| Apache Http Server | =1.15.17 | |
| Apache Http Server | =2.4.47 | |
| Fedora | =33 | |
| Fedora | =34 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
| oracle instantis enterprisetrack | =17.1 | |
| oracle instantis enterprisetrack | =17.2 | |
| oracle instantis enterprisetrack | =17.3 | |
| Oracle Sun ZFS Storage Appliance Kit | =8.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-31618 https://nvd.nist.gov/vuln/detail/CVE-2021-31618 https://httpd.apache.org/security/vulnerabilities_24.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1968013
- https://access.redhat.com/security/cve/cve-2021-31618
- http://httpd.apache.org/security/vulnerabilities_24.html
- http://www.openwall.com/lists/oss-security/2021/06/10/9
- https://lists.apache.org/thread.html/r14b66ef0f4f569fd515a3f96cd4eb58bd9a8ff525cc326bb0359664f@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r783b6558abf3305b17ea462bed4bd66d82866438999bf38cef6d11d1@%3Ccvs.httpd.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NKJ3ZA3FTSZ2QBBPKS6BYGAWYRABNQQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A73QJ4HPUMU26I6EULG6SCK67TUEXZYR/
- https://seclists.org/oss-sec/2021/q2/206
- https://security.gentoo.org/glsa/202107-38
- https://security.netapp.com/advisory/ntap-20210727-0008/
- https://www.debian.org/security/2021/dsa-4937
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://github.com/apache/httpd/commit/f990e5ecad40b100a8a5c7c1033c46044a9cb244
- http://svn.apache.org/viewvc?view=revision&revision=1889759
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1968261
- https://github.com/icing/mod_h2/commit/1207f69bff3804c7920a57af7649d1eef8b645de#diff-fb0096c49677980d95821ee43f691777ce0645add49981d04c542b92980ea533
- http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/h2_stream.c?r1=1889759&r2=1889758&pathrev=1889759
- https://access.redhat.com/errata/RHSA-2021:2471
- https://access.redhat.com/errata/RHSA-2021:2472
- https://lists.apache.org/thread.html/r14b66ef0f4f569fd515a3f96cd4eb58bd9a8ff525cc326bb0359664f%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r783b6558abf3305b17ea462bed4bd66d82866438999bf38cef6d11d1%40%3Ccvs.httpd.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NKJ3ZA3FTSZ2QBBPKS6BYGAWYRABNQQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A73QJ4HPUMU26I6EULG6SCK67TUEXZYR/
- http://www.openwall.com/lists/oss-security/2024/03/13/2
Frequently Asked Questions
What is CVE-2021-31618?
CVE-2021-31618 is a null pointer de-reference vulnerability found in the Apache HTTP Server protocol handler for the HTTP/2 protocol.
What is the severity of CVE-2021-31618?
The severity of CVE-2021-31618 is high, with a CVSS severity score of 7.5.
Which software versions are affected by CVE-2021-31618?
The Apache HTTP Server versions 2.4.47 and 2.4.48, as well as some specific versions of Fedora, Debian, Oracle Enterprise Manager Ops Center, Oracle Instantis Enterprisetrack, and Oracle ZFS Storage Appliance Kit are affected.
How does CVE-2021-31618 impact the Apache HTTP Server?
CVE-2021-31618 allows an attacker to exploit a null pointer de-reference vulnerability, potentially causing a denial-of-service condition by crashing the server process.
How can I mitigate CVE-2021-31618?
To mitigate CVE-2021-31618, it is recommended to upgrade to Apache HTTP Server version 2.4.49 or apply the necessary patches provided by the distribution vendor.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/weakness
- collector/oss-sec
- source/oss-sec
- alias/CVE-2021-31618
- agent/description
- agent/references
- agent/title
- agent/event
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/trending
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- package-manager/redhat
- vendor/apache
- canonical/apache http server
- version/apache http server/1.15.17
- version/apache http server/2.4.47
- vendor/fedoraproject
- canonical/fedora
- version/fedora/33
- version/fedora/34
- vendor/debian
- canonical/debian
- version/debian/9.0
- version/debian/10.0
- vendor/oracle
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.4.0.0
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle sun zfs storage appliance kit
- version/oracle sun zfs storage appliance kit/8.8