CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier
First published: Mon Dec 20 2021(Updated: )
apache. Multiple issues were addressed by updating apache to version 2.4.53.
Credit: CVE-2021-44224 CVE-2021-44790 CVE-2022-22719 CVE-2022-22720 CVE-2022-22721 CVE-2021-44224 CVE-2021-44790 CVE-2022-22719 CVE-2022-22720 CVE-2022-22721 CVE-2021-44224 CVE-2021-44790 CVE-2022-22719 CVE-2022-22720 CVE-2022-22721 security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apple Catalina | ||
| Apple macOS Big Sur | <11.6.6 | 11.6.6 |
| <12.4 | 12.4 | |
| Apache HTTP server | >=2.4.7<2.4.52 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Tenable Tenable.sc | >=5.14.0<5.20.0 | |
| Tenable Tenable.sc | >=5.16.0<202201.1 | |
| Oracle Communications Element Manager | <9.0 | |
| Oracle Communications Operations Monitor | =4.0 | |
| Oracle Communications Operations Monitor | =4.3 | |
| Oracle Communications Operations Monitor | =4.4 | |
| Oracle Communications Operations Monitor | =5.0 | |
| Oracle Communications Session Report Manager | <9.0 | |
| Oracle Communications Session Route Manager | <9.0 | |
| Oracle HTTP Server | ||
| Oracle HTTP Server | =12.2.1.3.0 | |
| Oracle HTTP Server | =12.2.1.4.0 | |
| Oracle Instantis Enterprisetrack | =17.1 | |
| Oracle Instantis Enterprisetrack | =17.2 | |
| Oracle Instantis Enterprisetrack | =17.3 | |
| Apple Mac OS X | =10.15.7 | |
| Apple Mac OS X | =10.15.7-security_update_2020-001 | |
| Apple Mac OS X | =10.15.7-security_update_2021-001 | |
| Apple Mac OS X | =10.15.7-security_update_2021-002 | |
| Apple Mac OS X | =10.15.7-security_update_2021-003 | |
| Apple Mac OS X | =10.15.7-security_update_2021-004 | |
| Apple Mac OS X | =10.15.7-security_update_2021-005 | |
| Apple Mac OS X | =10.15.7-security_update_2021-006 | |
| Apple Mac OS X | =10.15.7-security_update_2021-007 | |
| Apple Mac OS X | =10.15.7-security_update_2021-008 | |
| Apple Mac OS X | =10.15.7-security_update_2022-001 | |
| Apple Mac OS X | =10.15.7-security_update_2022-002 | |
| Apple Mac OS X | =10.15.7-security_update_2022-003 | |
| Apple macOS | <10.15.7 | |
| Apple macOS | >=11.0<11.6.6 | |
| Apple macOS | >=12.0.0<12.4 | |
| redhat/httpd | <2.4.52 | 2.4.52 |
| redhat/jbcs-httpd24-httpd | <0:2.4.51-28.el8 | 0:2.4.51-28.el8 |
| redhat/jbcs-httpd24-httpd | <0:2.4.51-28.el7 | 0:2.4.51-28.el7 |
| redhat/httpd24-httpd | <0:2.4.34-23.el7.5 | 0:2.4.34-23.el7.5 |
| debian/apache2 | 2.4.38-3+deb10u8 2.4.38-3+deb10u10 2.4.56-1~deb11u2 2.4.56-1~deb11u1 2.4.57-2 2.4.57-3 2.4.58-1 |
Remedy
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-44224 https://nvd.nist.gov/vuln/detail/CVE-2021-44224 http://httpd.apache.org/security/vulnerabilities_24.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2034672
- https://access.redhat.com/errata/RHSA-2022:7143
- https://access.redhat.com/errata/RHSA-2022:1915
- https://access.redhat.com/errata/RHSA-2022:7144
- https://access.redhat.com/errata/RHSA-2022:6753
- https://access.redhat.com/security/cve/cve-2021-44224
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-44224
- https://svn.apache.org/r1895955
- https://svn.apache.org/r1896044
- https://security-tracker.debian.org/tracker/CVE-2021-44224
- https://support.apple.com/en-us/HT213255 (Advisory)
- http://httpd.apache.org/security/vulnerabilities_24.html
- http://seclists.org/fulldisclosure/2022/May/33
- http://seclists.org/fulldisclosure/2022/May/35
- http://seclists.org/fulldisclosure/2022/May/38
- http://www.openwall.com/lists/oss-security/2021/12/20/3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFSWOH4X77CV7AH7C4RMHUBDWKQDL4YH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20211224-0001/
- https://support.apple.com/kb/HT213255
- https://support.apple.com/kb/HT213256
- https://support.apple.com/kb/HT213257
- https://www.debian.org/security/2022/dsa-5035
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.tenable.com/security/tns-2022-01
- https://www.tenable.com/security/tns-2022-03
- https://support.apple.com/en-us/HT213256 (Advisory)
- https://support.apple.com/en-us/HT213257 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2034673
- https://svn.apache.org/viewvc?view=revision&revision=1895921
- https://svn.apache.org/viewvc?view=revision&revision=1895981
- https://svn.apache.org/viewvc?view=revision&revision=r1895955
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFSWOH4X77CV7AH7C4RMHUBDWKQDL4YH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2021-44224
- CVE-2021-44790
- CVE-2022-22719
- CVE-2022-22720
- CVE-2022-22721
- CVE-2022-22665
- CVE-2022-22630
- CVE-2022-26751
- CVE-2022-26697
- CVE-2022-26698
- CVE-2022-22663
- CVE-2022-26721
- CVE-2022-26722
- CVE-2022-26763
- CVE-2022-22674
- CVE-2022-26720
- CVE-2022-26770
- CVE-2022-26756
- CVE-2022-26769
- CVE-2022-26748
- CVE-2022-26714
- CVE-2022-26757
- CVE-2022-32790
- CVE-2022-26775
- CVE-2022-0778
- CVE-2022-23308
- CVE-2022-32794
- CVE-2022-26727
- CVE-2022-26746
- CVE-2022-26766
- CVE-2022-26715
- CVE-2022-26728
- CVE-2022-26726
- CVE-2022-26755
- CVE-2022-22589
- CVE-2022-26761
- CVE-2022-0530
- CVE-2018-25032
- CVE-2021-45444
- CVE-2022-22675
- CVE-2022-26768
- CVE-2021-30946
- CVE-2022-26767
- CVE-2022-26706
- CVE-2022-32882
- CVE-2022-26776
- CVE-2022-26712
- CVE-2022-26731
- CVE-2022-26718
- CVE-2022-26723
- CVE-2021-4136
- CVE-2021-4166
- CVE-2021-4173
- CVE-2021-4187
- CVE-2021-4192
- CVE-2021-4193
- CVE-2021-46059
- CVE-2022-0128
- CVE-2022-26745
- CVE-2022-26772
- CVE-2022-26741
- CVE-2022-26742
- CVE-2022-26749
- CVE-2022-26750
- CVE-2022-26752
- CVE-2022-26753
- CVE-2022-26754
- CVE-2022-26707
- CVE-2022-26736
- CVE-2022-26737
- CVE-2022-26738
- CVE-2022-26739
- CVE-2022-26740
- CVE-2022-32783
- CVE-2022-26694
- CVE-2022-32781
- CVE-2022-26711
- CVE-2022-26725
- CVE-2022-26701
- CVE-2022-26758
- CVE-2022-26743
- CVE-2022-26764
- CVE-2022-26765
- CVE-2022-26708
- CVE-2022-48575
- CVE-2022-22617
- CVE-2022-32782
- CVE-2022-26693
- CVE-2022-26704
- CVE-2022-42857
- CVE-2022-26696
- CVE-2022-26700
- CVE-2022-26709
- CVE-2022-26710
- CVE-2022-26717
- CVE-2022-26716
- CVE-2022-26719
- CVE-2022-22677
- CVE-2022-26762
Frequently Asked Questions
What is CVE-2021-44224?
CVE-2021-44224 is a vulnerability in the Apache HTTP server that allows for a null pointer dereference and server-side request forgery (SSRF) when the mod_proxy module is configured as a forward proxy.
How does CVE-2021-44224 impact the Apache HTTP server?
CVE-2021-44224 can cause a crash or allow for SSRF attacks if a crafted packet is sent to the forward proxy on the adjacent network.
What is the severity of CVE-2021-44224?
CVE-2021-44224 has a severity value of 7, indicating a high severity.
How can I fix CVE-2021-44224?
To fix CVE-2021-44224, update Apache HTTP server to version 2.4.53 or later.
Are there any references for CVE-2021-44224?
Yes, you can find references for CVE-2021-44224 at the following links: [Link 1](https://support.apple.com/en-us/HT213257), [Link 2](https://support.apple.com/en-us/HT213255), [Link 3](https://support.apple.com/en-us/HT213256).
- collector/redhat-cve
- collector/security-tracker-debian
- collector/apple-support
- alias/CVE-2021-44790
- alias/CVE-2022-22719
- alias/CVE-2022-22720
- alias/CVE-2022-22721
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/remedy
- agent/severity
- agent/author
- agent/softwarecombine
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-44224
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/title
- source/Apple
- agent/tags
- agent/event
- package-manager/redhat
- package-manager/debian
- vendor/apple
- canonical/apple catalina
- vendor/apache
- canonical/apache http server
- version/apache http server/2.4.7
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/tenable
- canonical/tenable tenable.sc
- version/tenable tenable.sc/5.14.0
- version/tenable tenable.sc/5.16.0
- vendor/oracle
- canonical/oracle communications element manager
- canonical/oracle communications operations monitor
- version/oracle communications operations monitor/4.0
- version/oracle communications operations monitor/4.3
- version/oracle communications operations monitor/4.4
- version/oracle communications operations monitor/5.0
- canonical/oracle communications session report manager
- canonical/oracle communications session route manager
- canonical/oracle http server
- version/oracle http server/12.2.1.3.0
- version/oracle http server/12.2.1.4.0
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/apple mac os x
- version/apple mac os x/10.15.7
- version/apple mac os x/10.15.7-security_update_2020-001
- version/apple mac os x/10.15.7-security_update_2021-001
- version/apple mac os x/10.15.7-security_update_2021-002
- version/apple mac os x/10.15.7-security_update_2021-003
- version/apple mac os x/10.15.7-security_update_2021-004
- version/apple mac os x/10.15.7-security_update_2021-005
- version/apple mac os x/10.15.7-security_update_2021-006
- version/apple mac os x/10.15.7-security_update_2021-007
- version/apple mac os x/10.15.7-security_update_2021-008
- version/apple mac os x/10.15.7-security_update_2022-001
- version/apple mac os x/10.15.7-security_update_2022-002
- version/apple mac os x/10.15.7-security_update_2022-003
- canonical/apple macos
- version/apple macos/11.0
- version/apple macos/12.0.0
- canonical/apple macos big sur
- canonical/apple macos monterey