CVE-2021-36160
First published: Thu Sep 16 2021(Updated: )
A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/httpd | <2.4.49 | 2.4.49 |
| redhat/jbcs-httpd24-httpd | <0:2.4.51-28.el8 | 0:2.4.51-28.el8 |
| redhat/jbcs-httpd24-httpd | <0:2.4.51-28.el7 | 0:2.4.51-28.el7 |
| redhat/httpd24-httpd | <0:2.4.34-23.el7.5 | 0:2.4.34-23.el7.5 |
| debian/apache2 | 2.4.38-3+deb10u8 2.4.38-3+deb10u10 2.4.56-1~deb11u2 2.4.56-1~deb11u1 2.4.57-2 2.4.57-3 2.4.58-1 | |
| debian/uwsgi | <=2.0.18-1<=2.0.19.1-7.1<=2.0.21-5.1<=2.0.22-4 | |
| Apache HTTP server | >=2.4.30<=2.4.48 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Netapp Cloud Backup | ||
| NetApp Clustered Data ONTAP | ||
| Netapp Storagegrid | ||
| Oracle Communications Cloud Native Core Network Function Cloud Native Environment | =1.10.0 | |
| Oracle Enterprise Manager Base Platform | =13.4.0.0 | |
| Oracle Enterprise Manager Base Platform | =13.5.0.0 | |
| Oracle HTTP Server | =12.2.1.3.0 | |
| Oracle HTTP Server | =12.2.1.4.0 | |
| Oracle Instantis Enterprisetrack | =17.1 | |
| Oracle Instantis Enterprisetrack | =17.2 | |
| Oracle Instantis Enterprisetrack | =17.3 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| Broadcom Brocade Fabric Operating System Firmware |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37@%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r73260f6ba9fb52e43d860905fc90462ba5a814afda2d011f32bbd41c@%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r7f2746e916ed370239bc1a1025e5ebbf345f79df9ea0ea39e44acfbb@%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r94a61a1517133a19dcf40016e87454ea86e355d06a0cec4c778530f3@%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/ra1c05a392587bfe34383dffe1213edc425de8d4afc25b7cefab3e781@%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/ra87a69d0703d09dc52b86e32b08f8d7327af10acdd5f577a4e82596a@%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rb2341c8786d0f9924f5b666e82d8d170b4804f50a523d750551bef1a@%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaff57253fef341d@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2904a17ded21a70@%3Ccvs.httpd.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/09/msg00016.html
- https://lists.debian.org/debian-lts-announce/2021/10/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20211008-0004/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ
- https://www.debian.org/security/2021/dsa-4982
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2005125
- https://access.redhat.com/errata/RHSA-2022:1915
- https://access.redhat.com/security/cve/cve-2021-36160
- https://access.redhat.com/errata/RHSA-2022:6753
- https://access.redhat.com/errata/RHSA-2022:7144
- https://access.redhat.com/errata/RHSA-2022:7143
- https://bugzilla.redhat.com/show_bug.cgi?id=2005124
- https://www.cve.org/CVERecord?id=CVE-2021-36160 https://nvd.nist.gov/vuln/detail/CVE-2021-36160
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-36160
- https://github.com/apache/httpd/commit/b364cad72b48dd40fbc2850e525b845406520f0b
- https://bz.apache.org/bugzilla/show_bug.cgi?id=65616
- https://github.com/apache/httpd/commit/8966e290a6e947fad0289bf4e243b0b552e13726
- https://security-tracker.debian.org/tracker/CVE-2021-36160
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2021-36160?
The severity of CVE-2021-36160 is high, with a severity value of 7.5.
How does CVE-2021-36160 affect system availability?
CVE-2021-36160 can cause the service to crash, posing a threat to system availability.
Which software versions are affected by CVE-2021-36160?
CVE-2021-36160 affects versions up to exclusive 2.4.49 of the httpd package, 0:2.4.51-28.el8 and 0:2.4.51-28.el7 of jbcs-httpd24-httpd package, 0:2.4.34-23.el7.5 of httpd24-httpd package, and various versions of apache2 and uwsgi packages in Debian.
How can CVE-2021-36160 be fixed?
To fix CVE-2021-36160, it is recommended to update the affected software to the specified remedy versions provided by the respective sources (Red Hat, Debian, etc.).
Where can I find more information about CVE-2021-36160?
For more information about CVE-2021-36160, you can refer to the references provided: http://httpd.apache.org/security/vulnerabilities_24.html, https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2005125, and https://access.redhat.com/errata/RHSA-2022:1915.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-36160
- agent/software-canonical-lookup
- collector/redhat-cve
- collector/security-tracker-debian
- vendor/apache
- canonical/apache http server
- version/apache http server/2.4.30
- version/apache http server/2.4.48
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/netapp
- canonical/netapp cloud backup
- canonical/netapp clustered data ontap
- canonical/netapp storagegrid
- vendor/oracle
- canonical/oracle communications cloud native core network function cloud native environment
- version/oracle communications cloud native core network function cloud native environment/1.10.0
- canonical/oracle enterprise manager base platform
- version/oracle enterprise manager base platform/13.4.0.0
- version/oracle enterprise manager base platform/13.5.0.0
- canonical/oracle http server
- version/oracle http server/12.2.1.3.0
- version/oracle http server/12.2.1.4.0
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.58
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- vendor/broadcom
- canonical/broadcom brocade fabric operating system firmware
- package-manager/redhat
- package-manager/debian