Bug 1968013 (CVE-2021-31618) - CVE-2021-31618 httpd: NULL pointer dereference on specially crafted HTTP/2 request
Summary: CVE-2021-31618 httpd: NULL pointer dereference on specially crafted HTTP/2 re...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-31618
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1968260 1968261 1968263 1968264 1968265 1968266 1968267 1968268 1968269 1968270 1968366 1968367 1968368 1968369 1968370
Blocks: 1966744
TreeView+ depends on / blocked
 
Reported: 2021-06-04 17:52 UTC by Pedro Sampaio
Modified: 2021-08-23 20:23 UTC (History)
48 users (show)

Fixed In Version: http 2.4.48
Doc Type: If docs needed, set a value
Doc Text:
A null pointer de-reference was found in the way httpd handled specially crafted HTTP/2 request. A remote attacker could use this flaw to crash the httpd child process, causing temporary denial of service.
Clone Of:
Environment:
Last Closed: 2021-06-17 15:05:43 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2471 0 None None None 2021-06-17 11:36:19 UTC
Red Hat Product Errata RHSA-2021:2472 0 None None None 2021-06-17 11:46:25 UTC

Description Pedro Sampaio 2021-06-04 17:52:22 UTC 
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected.

This rejection response was not fully initialized in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a footer. This led to a NULL pointer dereference on initialized memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server.

References:

https://httpd.apache.org/security/vulnerabilities_24.html

Upstream patch:

https://github.com/apache/httpd/commit/f990e5ecad40b100a8a5c7c1033c46044a9cb244
http://svn.apache.org/viewvc?view=revision&revision=1889759
Comment 1 Huzaifa S. Sidhpurwala 2021-06-07 04:37:56 UTC 
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1968261]
Comment 8 Jean-frederic Clere 2021-06-07 13:56:24 UTC 
mod_h2 commit: https://github.com/icing/mod_h2/commit/1207f69bff3804c7920a57af7649d1eef8b645de#diff-fb0096c49677980d95821ee43f691777ce0645add49981d04c542b92980ea533
Comment 11 yadd@debian.org 2021-06-09 14:16:57 UTC 
Hi,

I'm Debian maintainer of Apache. I'd like to patch Apache 2.4.38 and 2.4.46 without upgrading to 2.4.48 (due to Debian policy), but the proposed patch can't be applied. Is there a way to patch these versions ? A friend sent me this patch, is it enough ?

--- modules/http2/h2_stream.c    (Revision 1889017)
+++ modules/http2/h2_stream.c    (Arbeitskopie)
@@ -638,7 +638,7 @@

static void set_error_response(h2_stream *stream, int http_status)
{
-    if (!h2_stream_is_ready(stream)) {
+    if (!h2_stream_is_ready(stream) && stream->rtmp) {
        stream->rtmp->http_status = http_status;
    }
}
Comment 12 Joe Orton 2021-06-10 09:27:57 UTC 
Yes I believe that:

http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/h2_stream.c?r1=1889759&r2=1889758&pathrev=1889759

is the correct fix for this vulnerability, not sure where the other link came from.  ProdSec, please amend.
Comment 13 yadd@debian.org 2021-06-10 10:23:09 UTC 
@Joe_Orton: many thanks, I just pushed updates for Debian releases.

Cheers,
Yadd
Comment 14 errata-xmlrpc 2021-06-17 11:36:11 UTC 
This issue has been addressed in the following products:

  JBoss Core Services Apache HTTP Server 2.4.37 SP8

Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471
Comment 15 errata-xmlrpc 2021-06-17 11:46:15 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472
Comment 16 Product Security DevOps Team 2021-06-17 15:05:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-31618
Note You need to log in before you can comment on or make changes to this bug.