製品・ソフトウェアに関する情報
Vulnerability Search
Apache HTTP Server 2.4 における複数の脆弱性に対するアップデート
Title Apache HTTP Server 2.4 における複数の脆弱性に対するアップデート
Summary

The Apache Software Foundation から、Apache HTTP Server 2.4 系における次の複数の脆弱性に対応した Apache HTTP Server 2.4.50 が公開されました。  * HTTP/2 リクエストの処理における、NULL ポインタ参照の脆弱性 - CVE-2021-41524  * パスの正規化処理の欠陥による、パストラバーサルの脆弱性 - CVE-2021-41773

Possible impacts 想定される影響は各脆弱性により異なりますが、次のような影響を受ける可能性があります。   * サービス運用妨害 (DoS) - CVE-2021-41524  * ドキュメントルート外に置かれた「require all denied」で保護されていないファイルにアクセスされる - CVE-2021-41773  
Solution

[アップデートする] <a href="https://downloads.apache.org/httpd/Announcement2.4.html"target="blank">開発者が提供する情報</a>をもとに、最新版にアップデートしてください。

Publication Date Oct. 6, 2021, midnight
Registration Date Oct. 7, 2021, 2 p.m.
Last Update Jan. 27, 2022, 1:38 p.m.
Affected System
Apache Software Foundation
Apache HTTP Server 2.4.49
CVE (情報セキュリティ 共通脆弱性識別子)
ベンダー情報
その他
Change Log
No Changed Details Date of change
1 [2021年10月07日]   掲載 Oct. 7, 2021, 11:55 a.m.
2 [2022年01月27日]
  ベンダ情報:日本電気 (NV22-003) を追加		 Jan. 27, 2022, 11:28 a.m.
NVD Vulnerability Information
CVE-2021-41524
Summary

While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.

Publication Date Oct. 5, 2021, 6:15 p.m.
Registration Date Oct. 5, 2021, 8 p.m.
Last Update Nov. 21, 2024, 3:26 p.m.
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*
Configuration2 or higher or less more than less than
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Configuration3 or higher or less more than less than
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
Configuration4 or higher or less more than less than
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Related information, measures and tools
Common Vulnerabilities List
CVE-2021-41773
Summary

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

Publication Date Oct. 5, 2021, 6:15 p.m.
Registration Date Oct. 5, 2021, 8 p.m.
Last Update Nov. 21, 2024, 3:26 p.m.
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*
Configuration2 or higher or less more than less than
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Configuration3 or higher or less more than less than
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
Configuration4 or higher or less more than less than
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Related information, measures and tools
Common Vulnerabilities List