Bug 1968013 (CVE-2021-31618)
| Summary: | CVE-2021-31618 httpd: NULL pointer dereference on specially crafted HTTP/2 request | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | anon.amish, asoldano, atangrin, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, csutherl, darran.lofthouse, dkreling, dosoudil, eleandro, fjuma, gzaronik, hhorak, iweiss, jclere, jkaluza, jlyle, jochrist, jorton, jpallich, jperkins, jwon, kaycoth, krathod, kwills, lgao, luhliari, micjohns, msochure, msvehla, mturk, mvanderw, nwallace, pahan, petrblaho, pjindal, pmackay, rguimara, rstancel, rsvoboda, smaestri, szappis, tom.jenkinson, yadd, yborgess |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | http 2.4.48 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A null pointer de-reference was found in the way httpd handled specially crafted HTTP/2 request. A remote attacker could use this flaw to crash the httpd child process, causing temporary denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-17 15:05:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1968260, 1968261, 1968263, 1968264, 1968265, 1968266, 1968267, 1968268, 1968269, 1968270, 1968366, 1968367, 1968368, 1968369, 1968370 | ||
| Bug Blocks: | 1966744 | ||
|
Description
Pedro Sampaio
2021-06-04 17:52:22 UTC
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1968261] Hi,
I'm Debian maintainer of Apache. I'd like to patch Apache 2.4.38 and 2.4.46 without upgrading to 2.4.48 (due to Debian policy), but the proposed patch can't be applied. Is there a way to patch these versions ? A friend sent me this patch, is it enough ?
--- modules/http2/h2_stream.c (Revision 1889017)
+++ modules/http2/h2_stream.c (Arbeitskopie)
@@ -638,7 +638,7 @@
static void set_error_response(h2_stream *stream, int http_status)
{
- if (!h2_stream_is_ready(stream)) {
+ if (!h2_stream_is_ready(stream) && stream->rtmp) {
stream->rtmp->http_status = http_status;
}
}
Yes I believe that: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/h2_stream.c?r1=1889759&r2=1889758&pathrev=1889759 is the correct fix for this vulnerability, not sure where the other link came from. ProdSec, please amend. @Joe_Orton: many thanks, I just pushed updates for Debian releases. Cheers, Yadd This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.37 SP8 Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-31618 |