CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier
Published Dec 20, 2021
·Updated
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
Credit
CVE-2021-44224, CVE-2021-44790, CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, Lockheed Martin Red Team, an anonymous researcher, Jeremy Brown(Trend Micro Zero Day Initiative), Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Qi Sun(Trend Micro), Ye Zhang@@co0py_Cat(Baidu Security), Robert Ai(Trend Micro), Arsenii Kostromin (0x3c3e), Yonghwi Jin@@jinmo123(Theori), Linus Henze(Pinauten GmbH), Liu Long(Ant Security Light), Jack Dates(RET2 Systems Inc), Antonio Zekic@@antoniozekic, Jeonghoon Shin(Theori working with Trend Micro Zero Day Initiative), Peter Nguyễn Vũ Hoàng@@peternguyen14(STAR Labs), Ned Williamson(Google Project Zero), @@gorelics(BreakPoint), (BreakPoint), Ron Masas(BreakPoint), Wojciech Reguła@@_r3ggi(SecuRing), Arsenii Kostromin (0x3c3e)(Microsoft), Jonathan Bar Or(Microsoft), Zhipeng Huo@@R3dF09(Tencent Security Xuanwu Lab), Yuebin Sun@@yuebinsun2020(Tencent Security Xuanwu Lab), Max Shavrick@@_mxms(the Google Security Team), Zubair Ashraf(Crowdstrike), CVE-2022-0778, CVE-2022-23308, Mickey Jin@@patch1t, @@gorelics, Peter Nguyễn Vũ Hoàng(STAR Labs), Felix Poulin-Belanger, Antonio Cheong Yu Xuan(YCISCQ), CVE-2021-4136, CVE-2021-4166, CVE-2021-4173, CVE-2021-4187, CVE-2021-4192, CVE-2021-4193, CVE-2021-46059, CVE-2022-0128, Heige(KnownSec 404 Team), Bo Qu(Palo Alto Networks), Scarlet Raine, Wang Yu(Cyberserval), CVE-2022-0530, Tavis Ormandy, CVE-2021-45444, ABC Research s.r.o, Jon Thompson(Evolve), IA), actae0n(Blacksun Hackers Club working with Trend Micro Zero Day Initiative), Andrew Williams(Google), Avi Drissman(Google), chenyuwang@@mzzzz__(Tencent Security Xuanwu Lab), Jordy Zomer@@pwningsystems, Paul Walker(Bury), Nathaniel Ekoniak(Ennate Technologies), Gergely Kalman@@gergely_kalman(Mandiant), (Mandiant), Joshua Mason(Mandiant), Ron Waisberg(SecuRing), an anonymous researcher(SecuRing), (Perception Point), Ron Hass@@ronhass7(Perception Point), ryuzaki, Chijin Zhou(ShuiMuYuLin Ltd), Tsinghua wingtecher lab, Jeonghoon Shin(Theori), SorryMybad@@S0rryMybad(Kunlun Lab), Dongzhuo Zhao(ADLab of Venustech)
Affected Software
45 affected componentsFixes available
redhat/jbcs-httpd24-httpd<0:2.4.51-28.el8
0:2.4.51-28.el8
redhat/jbcs-httpd24-httpd<0:2.4.51-28.el7
0:2.4.51-28.el7
redhat/httpd24-httpd<0:2.4.34-23.el7.5
0:2.4.34-23.el7.5
debian/apache2
2.4.38-3+deb10u82.4.38-3+deb10u102.4.56-1~deb11u22.4.56-1~deb11u12.4.57-22.4.57-32.4.58-1
Apple macOS Big Sur<11.6.6
11.6.6
Apple Catalina
Apple macOS Monterey<12.4
12.4
Apache HTTP Server>=2.4.7<2.4.52
Fedoraproject Fedora=34
Fedoraproject Fedora=35
Fedoraproject Fedora=36
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Tenable Tenable.Sc>=5.14.0<5.20.0
Tenable Tenable.Sc>=5.16.0<202201.1
Oracle Communications Element Manager<9.0
Oracle Communications Operations Monitor=4.0
Oracle Communications Operations Monitor=4.3
Oracle Communications Operations Monitor=4.4
Oracle Communications Operations Monitor=5.0
Oracle Communications Session Report Manager<9.0
Oracle Communications Session Route Manager<9.0
Oracle HTTP Server
Oracle HTTP Server=12.2.1.3.0
Oracle HTTP Server=12.2.1.4.0
Oracle Instantis Enterprisetrack=17.1
Oracle Instantis Enterprisetrack=17.2
Oracle Instantis Enterprisetrack=17.3
Apple iOS and macOS=10.15.7
Apple iOS and macOS=10.15.7-security_update_2020-001
Apple iOS and macOS=10.15.7-security_update_2021-001
Apple iOS and macOS=10.15.7-security_update_2021-002
Apple iOS and macOS=10.15.7-security_update_2021-003
Apple iOS and macOS=10.15.7-security_update_2021-004
Apple iOS and macOS=10.15.7-security_update_2021-005
Apple iOS and macOS=10.15.7-security_update_2021-006
Apple iOS and macOS=10.15.7-security_update_2021-007
Apple iOS and macOS=10.15.7-security_update_2021-008
Apple iOS and macOS=10.15.7-security_update_2022-001
Apple iOS and macOS=10.15.7-security_update_2022-002
Apple iOS and macOS=10.15.7-security_update_2022-003
Apple macOS<10.15.7
Apple macOS>=11.0<11.6.6
Apple macOS>=12.0.0<12.4
redhat/httpd<2.4.52
2.4.52
Remediation
Patch Available
Patch Available
Information
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Event History
Dec 20, 2021
CVE Published
12:00 AM
CVE Published
via MITRE·11:20 AM
Data Sourced
via MITRE·11:20 AM
DescriptionWeakness
Dec 21, 2021
Data Sourced
via Red Hat·04:49 PM
DescriptionSeverityAffected Software
Frequently Asked Questions
1
What is CVE-2021-44224?
CVE-2021-44224 is a vulnerability in the Apache HTTP server that allows for a null pointer dereference and server-side request forgery (SSRF) when the mod_proxy module is configured as a forward proxy.
2
How does CVE-2021-44224 impact the Apache HTTP server?
CVE-2021-44224 can cause a crash or allow for SSRF attacks if a crafted packet is sent to the forward proxy on the adjacent network.
3
What is the severity of CVE-2021-44224?
CVE-2021-44224 has a severity value of 7, indicating a high severity.
4
How can I fix CVE-2021-44224?
To fix CVE-2021-44224, update Apache HTTP server to version 2.4.53 or later.
5
Are there any references for CVE-2021-44224?
Yes, you can find references for CVE-2021-44224 at the following links: [Link 1](https://support.apple.com/en-us/HT213257), [Link 2](https://support.apple.com/en-us/HT213255), [Link 3](https://support.apple.com/en-us/HT213256).