First published: Tue Oct 05 2021(Updated: )
While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jbcs-httpd24-httpd | <0:2.4.51-28.el8 | 0:2.4.51-28.el8 |
redhat/jbcs-httpd24-httpd | <0:2.4.51-28.el7 | 0:2.4.51-28.el7 |
Apache HTTP server | =2.4.49 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 | |
Oracle Instantis Enterprisetrack | =17.1 | |
Oracle Instantis Enterprisetrack | =17.2 | |
Oracle Instantis Enterprisetrack | =17.3 | |
Netapp Cloud Backup | ||
redhat/httpd | <2.4.50 | 2.4.50 |
=2.4.49 | ||
=34 | ||
=35 | ||
=17.1 | ||
=17.2 | ||
=17.3 | ||
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-41524 is a null pointer dereference vulnerability in the 2.4.49 version of httpd.
CVE-2021-41524 has a severity rating of 7.5 (High).
CVE-2021-41524 allows an external source to cause a Denial of Service (DoS) on the server by sending a specially crafted request.
CVE-2021-41524 affects version 2.4.49 of httpd.
To fix CVE-2021-41524, you should update httpd to version 2.4.50 or higher.