Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialized in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a footer. This led to a NULL pointer dereference on initialized memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. References: https://httpd.apache.org/security/vulnerabilities_24.html Upstream patch: https://github.com/apache/httpd/commit/f990e5ecad40b100a8a5c7c1033c46044a9cb244 http://svn.apache.org/viewvc?view=revision&revision=1889759
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1968261]
mod_h2 commit: https://github.com/icing/mod_h2/commit/1207f69bff3804c7920a57af7649d1eef8b645de#diff-fb0096c49677980d95821ee43f691777ce0645add49981d04c542b92980ea533
Hi, I'm Debian maintainer of Apache. I'd like to patch Apache 2.4.38 and 2.4.46 without upgrading to 2.4.48 (due to Debian policy), but the proposed patch can't be applied. Is there a way to patch these versions ? A friend sent me this patch, is it enough ? --- modules/http2/h2_stream.c (Revision 1889017) +++ modules/http2/h2_stream.c (Arbeitskopie) @@ -638,7 +638,7 @@ static void set_error_response(h2_stream *stream, int http_status) { - if (!h2_stream_is_ready(stream)) { + if (!h2_stream_is_ready(stream) && stream->rtmp) { stream->rtmp->http_status = http_status; } }
Yes I believe that: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/h2_stream.c?r1=1889759&r2=1889758&pathrev=1889759 is the correct fix for this vulnerability, not sure where the other link came from. ProdSec, please amend.
@Joe_Orton: many thanks, I just pushed updates for Debian releases. Cheers, Yadd
This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.37 SP8 Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-31618