Bug 2034672 (CVE-2021-44224) - CVE-2021-44224 httpd: possible NULL dereference or SSRF in forward proxy configurations
Summary: CVE-2021-44224 httpd: possible NULL dereference or SSRF in forward proxy conf...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-44224
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2034673 2035029 2035030 2035031 2035125 2066311
Blocks: 2034676
TreeView+ depends on / blocked
 
Reported: 2021-12-21 16:49 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-09-18 04:29 UTC (History)
63 users (show)

Fixed In Version: httpd 2.4.52
Doc Type: If docs needed, set a value
Doc Text:
There's a null pointer dereference and server-side request forgery flaw in httpd's mod_proxy module, when it is configured to be used as a forward proxy. A crafted packet could be sent on the adjacent network to the forward proxy that could cause a crash, or potentially SSRF via misdirected Unix Domain Socket requests. In the worst case, this could cause a denial of service or compromise to confidentiality of data.
Clone Of:
Environment:
Last Closed: 2022-05-12 00:16:12 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1915 0 None None None 2022-05-10 14:17:42 UTC
Red Hat Product Errata RHSA-2022:6753 0 None None None 2022-09-29 13:32:46 UTC
Red Hat Product Errata RHSA-2022:7143 0 None None None 2022-10-26 20:20:35 UTC
Red Hat Product Errata RHSA-2022:7144 0 None None None 2022-10-26 20:06:54 UTC

Internal Links: 2042795

Description Guilherme de Almeida Suckevicz 2021-12-21 16:49:54 UTC
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).

References:
http://httpd.apache.org/security/vulnerabilities_24.html
http://www.openwall.com/lists/oss-security/2021/12/20/3

Comment 1 Guilherme de Almeida Suckevicz 2021-12-21 16:50:17 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 2034673]

Comment 3 Ted Jongseok Won 2021-12-22 07:40:22 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Enterprise Application Platform 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 14 errata-xmlrpc 2022-05-10 14:17:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1915 https://access.redhat.com/errata/RHSA-2022:1915

Comment 15 Product Security DevOps Team 2022-05-12 00:16:07 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-44224

Comment 16 errata-xmlrpc 2022-09-29 13:32:41 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6753 https://access.redhat.com/errata/RHSA-2022:6753

Comment 17 errata-xmlrpc 2022-10-26 20:06:50 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2022:7144 https://access.redhat.com/errata/RHSA-2022:7144

Comment 18 errata-xmlrpc 2022-10-26 20:20:30 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2022:7143 https://access.redhat.com/errata/RHSA-2022:7143

Comment 19 Red Hat Bugzilla 2023-09-18 04:29:36 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days


Note You need to log in before you can comment on or make changes to this bug.