Vulnerabilities Details

  • Home
  • Vulnerabilities Details

ZMC-2021.06.11.1230

Apache HTTP Server: Multiple vulnerabilities

Operating System:

[WIN][UNIX/LINUX]

Published:

11th June 2021

VulnerabilitiesZMC-2021.06.4.1600 


===========================================================================
                         ZMCIRT Vulnerability Bulletin

                             ZMC-2021.06.11.1230
                     Apache HTTP Server: Multiple vulnerabilities
                               11th June 2021

===========================================================================
Product:           Apache HTTP Server
Publisher:         Apache Software Foundation
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
                   Reduced Security         -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-31618 CVE-2021-30641 CVE-2021-26691
                   CVE-2021-26690 CVE-2020-35452 CVE-2020-13950
                   CVE-2020-13938 CVE-2019-17567 

Original Bulletin: 
   https://httpd.apache.org/security/vulnerabilities_24.html

Comment: This bulletin contains eight (8) Apache Software Foundation security
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request

Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
2.4.47
httpd 
Description:
Apache HTTP Server 2.4.47
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the 
size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of 
these restrictions and HTTP response is sent to the client with a status code indicating why the request 
was rejected.

This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header 
was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on 
initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy
to craft and submit, this can be exploited to DoS the server.

This affected versions prior to 2.4.47

Mitigation:
none

Credit:
Apache HTTP server would like to thank  LI ZHI XIN from NSFocus for reporting this.

References:
https://httpd.apache.org/security/vulnerabilities_24.html


- --------------------------------------------------------------------------------


CVE-2021-30641: Unexpected URL matching with 'MergeSlashes OFF'

Severity: moderate

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.39 to 2.4.46

Description:
Apache HTTP Server 2.4.39 to 2.4.46
Unexpected matching behavior with 'MergeSlashes OFF'
    
Mitigation:
n/a

Credit:
Discovered by Christoph Anton Mitterer

References:
https://httpd.apache.org/security/vulnerabilities_24.html


- --------------------------------------------------------------------------------


CVE-2021-26691: mod_session response handling heap overflow

Severity: low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0 to 2.4.46

Description:
Apache HTTP Server 2.4.0 to 2.4.46
A specially crafted SessionHeader sent by an origin server could cause a heap overflow
    
Mitigation:
None

Credit:
Discovered internally by Christophe Jaillet

References:
https://httpd.apache.org/security/vulnerabilities_24.html


- --------------------------------------------------------------------------------


CVE-2021-26690: mod_session NULL pointer dereference

Severity: low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0 to 2.4.46

Description:
Apache HTTP Server 2.4.0 to 2.4.46
A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference 
and crash, leading to a possible Denial Of Service
    
Mitigation:
None

Credit:
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales)

References:
https://httpd.apache.org/security/vulnerabilities_24.html


- --------------------------------------------------------------------------------


CVE-2020-35452: mod_auth_digest possible stack overflow by one nul byte

Severity: low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0 to 2.4.46

Description:
Apache HTTP Server 2.4.0 to 2.4.46
A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report
of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some 
particular compiler and/or compilation option might make it possible, with limited consequences 
anyway due to the size (a single byte) and the value (zero byte) of the overflow
    
Mitigation:
None

Credit:
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales)

References:
https://httpd.apache.org/security/vulnerabilities_24.html


- --------------------------------------------------------------------------------


CVE-2020-13950: mod_proxy_http NULL pointer dereference

Severity: low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.41 to 2.4.46

Description:
Apache HTTP Server 2.4.41 to 2.4.46
mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using
both Content-Length and Transfer-Encoding headers, leading to a Denial of Service

Mitigation:
None

Credit:
Reported by Marc Stern ()

References:
https://httpd.apache.org/security/vulnerabilities_24.html


- --------------------------------------------------------------------------------


CVE-2020-13938: Improper Handling of Insufficient Privileges

Severity: moderate

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0 to 2.4.47

Description:
Apache HTTP Server 2.4.0 to 2.4.47
Unprivileged local users can stop httpd on Windows
    
Mitigation:
n/a

Credit:
Discovered by Ivan Zhakov

References:
https://httpd.apache.org/security/vulnerabilities_24.html


- --------------------------------------------------------------------------------


CVE-2019-17567: mod_proxy_wstunnel tunneling of non Upgraded connections

Severity: moderate

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.6 to 2.4.46

Description:
Apache HTTP Server 2.4.6 to 2.4.46
mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was
tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection
to pass through with no HTTP validation, authentication or authorization possibly configured.
    
Mitigation:
Configure mod_proxy_wstunnel on URLs that are always Upgraded by the origin server

Credit:
Reported by Mikhail Egorov (<0ang3el gmail.com>)

References:
https://httpd.apache.org/security/vulnerabilities_24.html

 
ZMCIRT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Internet Email: report@cirt.zm     
Telephone:     7070 
                ZMCIRT personnel answer during Zambian business hours 
                which are 8am to 5pm.
                On call after hours for member emergencies only.
===========================================================================

Copyright @2023 ZAMBIA CIRT