While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project. References: https://httpd.apache.org/security/vulnerabilities_24.html https://lists.apache.org/thread.html/rc30f96fa07346fa6bdd73f3e172b8964ec9a7d49351b4f60422fc469@%3Cannounce.apache.org%3E
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 2010935]
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2022:7144 https://access.redhat.com/errata/RHSA-2022:7144
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2022:7143 https://access.redhat.com/errata/RHSA-2022:7143
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-41524