CVE-2021-31618 Overview
CVE-2021-31618 is a NULL pointer dereference vulnerability in the Apache HTTP Server's mod_http2 module that can be exploited to cause a denial of service (DoS) condition. The vulnerability exists in the HTTP/2 protocol handler, which checks received request headers against size limitations configured for the server. When a header violation occurs, the server sends an HTTP response to the client indicating why the request was rejected. However, if the offending header is the very first one received or appears in a footer, the rejection response is not fully initialized, leading to a NULL pointer dereference on uninitialized memory that reliably crashes the child process.
Since triggering HTTP/2 requests that exploit this vulnerability are easy to craft and submit, attackers can reliably crash Apache HTTP Server child processes, resulting in service disruption.
Critical Impact
Remote attackers can cause denial of service by sending specially crafted HTTP/2 requests with oversized headers, crashing Apache HTTP Server child processes without requiring authentication.
Affected Products
- Apache HTTP Server version 2.4.47 (never publicly released) and mod_http2 1.15.17
- Fedora 33 and Fedora 34
- Debian Linux 9.0 and 10.0
- Oracle Enterprise Manager Ops Center 12.4.0.0
- Oracle Instantis EnterpriseTrack 17.1, 17.2, and 17.3
- Oracle ZFS Storage Appliance Kit 8.8
Discovery Timeline
- 2021-06-15 - CVE-2021-31618 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-31618
Vulnerability Analysis
This vulnerability (CWE-476: NULL Pointer Dereference) resides in the mod_http2 module of Apache HTTP Server. The HTTP/2 protocol handler validates incoming request headers against configured size limitations that are shared with the HTTP/1 protocol. When a header exceeds these limits, the server generates an error response to reject the request.
The critical flaw occurs during the initialization of this rejection response. Specifically, if the oversized header is either the very first header received in the request or appears within a trailer (footer) section of the HTTP/2 frame, the error response structure is not properly initialized before being accessed. This results in dereferencing a NULL pointer, which causes the Apache child process to crash immediately.
The attack is particularly dangerous because HTTP/2 connections are multiplexed, meaning a single malicious request can disrupt the child process handling multiple legitimate client connections. While the parent Apache process typically respawns child processes, sustained attacks can effectively deny service to legitimate users.
Root Cause
The root cause stems from improper initialization of the HTTP/2 rejection response structure within the mod_http2 module. The code path that handles header size violations fails to fully initialize the response object under two specific conditions:
- When the first header received in a request exceeds the configured LimitRequestFieldSize or LimitRequestFields directives
- When an oversized header appears in HTTP/2 trailers (HEADERS frame with END_STREAM flag)
In both cases, certain fields in the response structure remain NULL when the code attempts to dereference them to send the error response, causing the crash.
Attack Vector
The attack can be executed remotely over the network without any authentication or special privileges. An attacker simply needs to:
- Establish an HTTP/2 connection to the target Apache server
- Send a request with a header that exceeds the server's configured header size limits
- Ensure the oversized header is either the first header in the request or placed in the trailer section
The vulnerability is exploited by sending malformed HTTP/2 requests with oversized headers in specific positions within the frame structure. When the server attempts to process and reject these requests, the uninitialized response object causes a NULL pointer dereference.
An attacker can repeatedly send such requests to continuously crash Apache child processes, resulting in sustained denial of service. The attack requires minimal bandwidth and can be automated trivially.
Detection Methods for CVE-2021-31618
Indicators of Compromise
- Repeated Apache child process crashes in server logs with segmentation fault signals
- Unusual spikes in HTTP/2 connections followed by immediate disconnections
- Error log entries indicating header size limit violations paired with process crashes
- Core dump files showing NULL pointer dereference in mod_http2 code paths
Detection Strategies
- Monitor Apache error logs for patterns of child process termination signals (SIGSEGV) correlated with HTTP/2 connections
- Implement network-level monitoring to detect anomalous HTTP/2 frame patterns with oversized headers
- Deploy intrusion detection signatures that identify HTTP/2 requests with headers exceeding typical size thresholds
- Use web application firewalls (WAF) configured to inspect and block malformed HTTP/2 frames
Monitoring Recommendations
- Configure centralized log aggregation to correlate Apache crash events with incoming connection metadata
- Set up alerting thresholds for Apache child process restart rates exceeding normal operational baselines
- Monitor HTTP/2 connection metrics including frame sizes, header counts, and trailer usage patterns
- Implement real-time dashboards tracking Apache process health and connection anomalies
How to Mitigate CVE-2021-31618
Immediate Actions Required
- Update Apache HTTP Server and mod_http2 to patched versions immediately
- If HTTP/2 is not required, disable it by removing Protocols h2 h2c http/1.1 directives from configuration
- Review and enforce conservative header size limits using LimitRequestFieldSize and LimitRequestFields directives
- Deploy a reverse proxy or WAF that can filter malformed HTTP/2 requests before they reach the Apache server
Patch Information
Apache has addressed this vulnerability in versions following mod_http2 1.15.17. Administrators should upgrade to the latest stable release of Apache HTTP Server, which includes the patched mod_http2 module. For systems where immediate upgrades are not possible, distribution-specific patches are available from vendors including Debian Security Advisory DSA-4937, Fedora Package Updates, and Oracle CPU October 2021. Reference the Apache Security Vulnerabilities page for official guidance.
Workarounds
- Disable HTTP/2 support temporarily by modifying the Protocols directive to only allow HTTP/1.1
- Implement rate limiting on incoming connections to reduce the impact of sustained DoS attacks
- Configure a reverse proxy (such as nginx or HAProxy) in front of Apache to handle HTTP/2 termination
- Use network-level filtering to block clients sending anomalous HTTP/2 traffic patterns
# Disable HTTP/2 in Apache configuration as a temporary workaround
# In httpd.conf or relevant virtual host configuration:
# Comment out or remove HTTP/2 protocol support
# Before (vulnerable):
# Protocols h2 h2c http/1.1
# After (mitigated):
Protocols http/1.1
# Apply changes
sudo systemctl restart httpd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
