Apache – CVE-2021-31618

Description

Kayran has detected that the Version of Apache HTTP Server being used is vulnerable to NULL Pointer Dereference (CWE-476). Also known as CVE-2021-31618.

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid. But instead, is NULL, typically causing a crash or exit.

HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well.
When violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected.
This rejection response was not fully initialized in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialized memory, crashing reliably the child process.

Since such a triggering the request is easy to craft and submit, this can be exploited to DoS (Denial of Service) the server.
This will cause a decrease in performance and also for interruptions in the availability of resources.

Recommendation

To fix CVE-2021-31618, upgrade the version of Apache HTTP Server being used to 2.4.48.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618

https://cwe.mitre.org/data/definitions/476.html

< Return to all Vulnerabilities

HTTP VS. HTTPS

You must have once wondered what HTTP means and what is the difference between that ugly word to HTTPS, and if not, then please read

Read More »

Browser Exploitation

We know that it’s possible to exploit weaknesses (or vulnerabilities) that exist in anything, from a certain code to the entire application, let’s talk about

Read More »