Bug 2005128 (CVE-2021-34798) - CVE-2021-34798 httpd: NULL pointer dereference via malformed requests
Summary: CVE-2021-34798 httpd: NULL pointer dereference via malformed requests
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-34798
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2005129 2007011 2007012 2007013 2007014 2007190 2007191 2007192 2007193 2027863 2031072 2057088 2057464 2059256
Blocks: 2000242
TreeView+ depends on / blocked
 
Reported: 2021-09-16 20:28 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-09-29 13:32 UTC (History)
56 users (show)

Fixed In Version: httpd 2.4.49
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference in httpd allows an unauthenticated remote attacker to crash httpd by providing malformed HTTP requests. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2022-01-17 10:00:40 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:0170 0 None None None 2022-01-18 19:09:51 UTC
Red Hat Product Errata RHBA-2022:0337 0 None None None 2022-02-01 12:01:59 UTC
Red Hat Product Errata RHSA-2022:0143 0 None None None 2022-01-17 09:01:10 UTC
Red Hat Product Errata RHSA-2022:0891 0 None None None 2022-03-15 10:06:53 UTC
Red Hat Product Errata RHSA-2022:6753 0 None None None 2022-09-29 13:32:33 UTC

Description Guilherme de Almeida Suckevicz 2021-09-16 20:28:46 UTC
Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

Reference:
http://httpd.apache.org/security/vulnerabilities_24.html

Comment 1 Guilherme de Almeida Suckevicz 2021-09-16 20:29:08 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 2005129]

Comment 3 Ted Jongseok Won 2021-09-17 03:42:37 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Enterprise Application Platform 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 6 Riccardo Schirone 2021-09-23 10:37:27 UTC
This seems to be the related patch found by looking at the history between 2.4.48 and 2.4.49 and double-checking with the SUSE bug https://bugzilla.suse.com/show_bug.cgi?id=1190669:
https://github.com/apache/httpd/commit/fa7b2a5250e54363b3a6c8ac3aaa7de4e8da9b2e

Comment 19 Chia Cheng Feng 2022-01-14 08:44:44 UTC
Hi Joe,
I saw your comment we will not fix this issue in rhel7. But our customer's security team needs to fix this requirement from the PCI DDS rule.
Do we have any advice? or will plan to fix in Red Hat JBoss Core Services of jbcs-httpd24-httpd ?

Thanks

Hunter

Comment 21 errata-xmlrpc 2022-01-17 09:01:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0143 https://access.redhat.com/errata/RHSA-2022:0143

Comment 22 Product Security DevOps Team 2022-01-17 10:00:37 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-34798

Comment 23 Nathan Coulson 2022-01-26 18:21:33 UTC
Will this also be addressed for Red Hat Enterprise Linux 8?  The 2022:0143 errata seems to only mention Red Hat Enterprise Linux 7.

Comment 24 Branislav Náter 2022-01-27 09:44:02 UTC
(In reply to Nathan Coulson from comment #23)
> Will this also be addressed for Red Hat Enterprise Linux 8?  The 2022:0143
> errata seems to only mention Red Hat Enterprise Linux 7.

Yes, it'll be addressed in rhel-8.

Comment 26 Nathan Coulson 2022-03-01 18:55:16 UTC
(In reply to Branislav Náter from comment #24)
> (In reply to Nathan Coulson from comment #23)
> > Will this also be addressed for Red Hat Enterprise Linux 8?  The 2022:0143
> > errata seems to only mention Red Hat Enterprise Linux 7.
> 
> Yes, it'll be addressed in rhel-8.

As this ticket is closed still, and no updates here mentioning plans for an errata for EL8,

Is this the right place to monitor for when this is resolved?  or is this being done on another ticket?

Comment 27 Branislav Náter 2022-03-02 06:57:08 UTC
(In reply to Nathan Coulson from comment #26)
> (In reply to Branislav Náter from comment #24)
> > (In reply to Nathan Coulson from comment #23)
> > > Will this also be addressed for Red Hat Enterprise Linux 8?  The 2022:0143
> > > errata seems to only mention Red Hat Enterprise Linux 7.
> > 
> > Yes, it'll be addressed in rhel-8.
> 
> As this ticket is closed still, and no updates here mentioning plans for an
> errata for EL8,
> 
> Is this the right place to monitor for when this is resolved?  or is this
> being done on another ticket?

It's tracked here https://bugzilla.redhat.com/show_bug.cgi?id=2059256

Comment 28 errata-xmlrpc 2022-03-15 10:06:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0891 https://access.redhat.com/errata/RHSA-2022:0891

Comment 29 Riccardo Schirone 2022-03-22 15:13:17 UTC
There was before a Mitigation for this flaw which said to disable ProxyRequests, however that was the wrong mitigation for this flaw. We investigated further whether a mitigation exists and we were not able to find one.

Comment 30 errata-xmlrpc 2022-09-29 13:32:27 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6753 https://access.redhat.com/errata/RHSA-2022:6753


Note You need to log in before you can comment on or make changes to this bug.