Bug 2005128 (CVE-2021-34798)

Summary: CVE-2021-34798 httpd: NULL pointer dereference via malformed requests
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aakhtar, anon.amish, asoldano, atangrin, bbaranow, bmalviya, bmaxwell, bnater, brian.stansberry, caswilli, cdewolf, cfeng, chazlett, csutherl, darran.lofthouse, dkreling, dosoudil, eleandro, fjansen, fjuma, gzaronik, hhorak, iweiss, jclere, jkaluza, jnakfour, jochrist, jorton, jpallich, jperkins, jwong, jwon, kaycoth, krathod, kwills, lgao, luhliari, luke, msochure, msvehla, mturk, nathan, nbhumkar, nwallace, oliver.erdi, pahan, pjindal, pmackay, rguimara, rstancel, rsvoboda, smaestri, szappis, tom.jenkinson, yborgess, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: httpd 2.4.49 Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference in httpd allows an unauthenticated remote attacker to crash httpd by providing malformed HTTP requests. The highest threat from this vulnerability is to system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-17 10:00:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2005129, 2007011, 2007012, 2007013, 2007014, 2007190, 2007191, 2007192, 2007193, 2027863, 2031072, 2057088, 2057464, 2059256    
Bug Blocks: 2000242    

Description Guilherme de Almeida Suckevicz 2021-09-16 20:28:46 UTC
Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

Reference:
http://httpd.apache.org/security/vulnerabilities_24.html

Comment 1 Guilherme de Almeida Suckevicz 2021-09-16 20:29:08 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 2005129]

Comment 3 Ted Jongseok Won 2021-09-17 03:42:37 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Enterprise Application Platform 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 6 Riccardo Schirone 2021-09-23 10:37:27 UTC
This seems to be the related patch found by looking at the history between 2.4.48 and 2.4.49 and double-checking with the SUSE bug https://bugzilla.suse.com/show_bug.cgi?id=1190669:
https://github.com/apache/httpd/commit/fa7b2a5250e54363b3a6c8ac3aaa7de4e8da9b2e

Comment 19 Chia Cheng Feng 2022-01-14 08:44:44 UTC
Hi Joe,
I saw your comment we will not fix this issue in rhel7. But our customer's security team needs to fix this requirement from the PCI DDS rule.
Do we have any advice? or will plan to fix in Red Hat JBoss Core Services of jbcs-httpd24-httpd ?

Thanks

Hunter

Comment 21 errata-xmlrpc 2022-01-17 09:01:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0143 https://access.redhat.com/errata/RHSA-2022:0143

Comment 22 Product Security DevOps Team 2022-01-17 10:00:37 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-34798

Comment 23 Nathan Coulson 2022-01-26 18:21:33 UTC
Will this also be addressed for Red Hat Enterprise Linux 8?  The 2022:0143 errata seems to only mention Red Hat Enterprise Linux 7.

Comment 24 Branislav Náter 2022-01-27 09:44:02 UTC
(In reply to Nathan Coulson from comment #23)
> Will this also be addressed for Red Hat Enterprise Linux 8?  The 2022:0143
> errata seems to only mention Red Hat Enterprise Linux 7.

Yes, it'll be addressed in rhel-8.

Comment 26 Nathan Coulson 2022-03-01 18:55:16 UTC
(In reply to Branislav Náter from comment #24)
> (In reply to Nathan Coulson from comment #23)
> > Will this also be addressed for Red Hat Enterprise Linux 8?  The 2022:0143
> > errata seems to only mention Red Hat Enterprise Linux 7.
> 
> Yes, it'll be addressed in rhel-8.

As this ticket is closed still, and no updates here mentioning plans for an errata for EL8,

Is this the right place to monitor for when this is resolved?  or is this being done on another ticket?

Comment 27 Branislav Náter 2022-03-02 06:57:08 UTC
(In reply to Nathan Coulson from comment #26)
> (In reply to Branislav Náter from comment #24)
> > (In reply to Nathan Coulson from comment #23)
> > > Will this also be addressed for Red Hat Enterprise Linux 8?  The 2022:0143
> > > errata seems to only mention Red Hat Enterprise Linux 7.
> > 
> > Yes, it'll be addressed in rhel-8.
> 
> As this ticket is closed still, and no updates here mentioning plans for an
> errata for EL8,
> 
> Is this the right place to monitor for when this is resolved?  or is this
> being done on another ticket?

It's tracked here https://bugzilla.redhat.com/show_bug.cgi?id=2059256

Comment 28 errata-xmlrpc 2022-03-15 10:06:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0891 https://access.redhat.com/errata/RHSA-2022:0891

Comment 29 Riccardo Schirone 2022-03-22 15:13:17 UTC
There was before a Mitigation for this flaw which said to disable ProxyRequests, however that was the wrong mitigation for this flaw. We investigated further whether a mitigation exists and we were not able to find one.

Comment 30 errata-xmlrpc 2022-09-29 13:32:27 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6753 https://access.redhat.com/errata/RHSA-2022:6753