CVE-2021-39275: ap_escape_quotes buffer overflow
First published: Thu Sep 16 2021(Updated: )
ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache HTTP server | <=2.4.48 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Netapp Cloud Backup | ||
| NetApp Clustered Data ONTAP | ||
| Netapp Storagegrid | ||
| Oracle HTTP Server | =12.2.1.3.0 | |
| Oracle HTTP Server | =12.2.1.4.0 | |
| Oracle Instantis Enterprisetrack | =17.1 | |
| Oracle Instantis Enterprisetrack | =17.2 | |
| Oracle Instantis Enterprisetrack | =17.3 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| Siemens SINEC NMS | ||
| Siemens SINEMA Server | =14.0 | |
| redhat/jbcs-httpd24-httpd | <0:2.4.51-28.el8 | 0:2.4.51-28.el8 |
| redhat/jbcs-httpd24-httpd | <0:2.4.51-28.el7 | 0:2.4.51-28.el7 |
| redhat/httpd | <0:2.4.6-97.el7_9.4 | 0:2.4.6-97.el7_9.4 |
| redhat/httpd24-httpd | <0:2.4.34-23.el7.5 | 0:2.4.34-23.el7.5 |
| debian/apache2 | 2.4.38-3+deb10u8 2.4.38-3+deb10u10 2.4.56-1~deb11u2 2.4.56-1~deb11u1 2.4.57-2 2.4.57-3 2.4.58-1 |
Remedy
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-39275 https://nvd.nist.gov/vuln/detail/CVE-2021-39275
- https://bugzilla.redhat.com/show_bug.cgi?id=2005119
- https://access.redhat.com/errata/RHSA-2022:7143
- https://access.redhat.com/errata/RHSA-2022:0143
- https://access.redhat.com/errata/RHSA-2022:0891
- https://access.redhat.com/errata/RHSA-2022:7144
- https://access.redhat.com/errata/RHSA-2022:6753
- https://access.redhat.com/security/cve/cve-2021-39275
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-39275
- https://github.com/apache/httpd/commit/d8bce6f575abb29997bba358b31842bf757776c6
- https://github.com/apache/httpd/commit/e0fec7d48dab1924c5a6b48819ce1cf420733f62
- https://github.com/apache/httpd/commit/8f09caf9945f3c80563bc4a776b04fbba239ca71
- https://github.com/apache/httpd/commit/c69d4cc90c0e27703030b3ff09f91bf4dcbcfd51
- https://github.com/apache/httpd/commit/ac62c7e7436560cf4f7725ee586364ce95c07804
- https://security-tracker.debian.org/tracker/CVE-2021-39275
- https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3Cusers.httpd.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20211008-0004/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ
- https://www.debian.org/security/2021/dsa-4982
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2005120
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
- https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-39275?
CVE-2021-39275 is a vulnerability in the Apache HTTP server that allows an unauthenticated remote attacker to crash the server or potentially execute code with the privileges of the httpd user.
How severe is CVE-2021-39275?
CVE-2021-39275 has a severity rating of 9.8 (Critical) out of 10.
Which software versions are affected by CVE-2021-39275?
CVE-2021-39275 affects Apache HTTP server versions up to and excluding 2.4.49, as well as various other software packages.
How can CVE-2021-39275 be fixed?
To fix CVE-2021-39275, update Apache HTTP server to version 2.4.49 or apply the appropriate security patches provided by the software vendor.
Where can I find more information about CVE-2021-39275?
You can find more information about CVE-2021-39275 on the Apache HTTP server website and the Red Hat Bugzilla.
- collector/redhat-cve
- collector/security-tracker-debian
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/author
- agent/severity
- agent/remedy
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-39275
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/event
- agent/tags
- agent/trending
- package-manager/redhat
- package-manager/debian
- vendor/apache
- canonical/apache http server
- version/apache http server/2.4.48
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/netapp
- canonical/netapp cloud backup
- canonical/netapp clustered data ontap
- canonical/netapp storagegrid
- vendor/oracle
- canonical/oracle http server
- version/oracle http server/12.2.1.3.0
- version/oracle http server/12.2.1.4.0
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- vendor/siemens
- canonical/siemens sinec nms
- canonical/siemens sinema server
- version/siemens sinema server/14.0