First published: Thu Sep 16 2021(Updated: )
A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/httpd | <2.4.49 | 2.4.49 |
redhat/jbcs-httpd24-httpd | <0:2.4.51-28.el8 | 0:2.4.51-28.el8 |
redhat/jbcs-httpd24-httpd | <0:2.4.51-28.el7 | 0:2.4.51-28.el7 |
redhat/httpd24-httpd | <0:2.4.34-23.el7.5 | 0:2.4.34-23.el7.5 |
debian/apache2 | 2.4.38-3+deb10u8 2.4.38-3+deb10u10 2.4.56-1~deb11u2 2.4.56-1~deb11u1 2.4.57-2 2.4.57-3 2.4.58-1 | |
debian/uwsgi | <=2.0.18-1<=2.0.19.1-7.1<=2.0.21-5.1<=2.0.22-4 | |
Apache HTTP server | >=2.4.30<=2.4.48 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Netapp Cloud Backup | ||
NetApp Clustered Data ONTAP | ||
Netapp Storagegrid | ||
Oracle Communications Cloud Native Core Network Function Cloud Native Environment | =1.10.0 | |
Oracle Enterprise Manager Base Platform | =13.4.0.0 | |
Oracle Enterprise Manager Base Platform | =13.5.0.0 | |
Oracle HTTP Server | =12.2.1.3.0 | |
Oracle HTTP Server | =12.2.1.4.0 | |
Oracle Instantis Enterprisetrack | =17.1 | |
Oracle Instantis Enterprisetrack | =17.2 | |
Oracle Instantis Enterprisetrack | =17.3 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
Oracle ZFS Storage Appliance Kit | =8.8 | |
Broadcom Brocade Fabric Operating System Firmware |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The severity of CVE-2021-36160 is high, with a severity value of 7.5.
CVE-2021-36160 can cause the service to crash, posing a threat to system availability.
CVE-2021-36160 affects versions up to exclusive 2.4.49 of the httpd package, 0:2.4.51-28.el8 and 0:2.4.51-28.el7 of jbcs-httpd24-httpd package, 0:2.4.34-23.el7.5 of httpd24-httpd package, and various versions of apache2 and uwsgi packages in Debian.
To fix CVE-2021-36160, it is recommended to update the affected software to the specified remedy versions provided by the respective sources (Red Hat, Debian, etc.).
For more information about CVE-2021-36160, you can refer to the references provided: http://httpd.apache.org/security/vulnerabilities_24.html, https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2005125, and https://access.redhat.com/errata/RHSA-2022:1915.