CVE-2021-44224: Apache HTTP Server SSRF Vulnerability

CVE-2021-44224 Overview

CVE-2021-44224 is a vulnerability in Apache HTTP Server that can lead to a denial of service condition through a NULL pointer dereference crash, or enable Server Side Request Forgery (SSRF) attacks. The vulnerability is triggered when a specially crafted URI is sent to an Apache httpd instance configured as a forward proxy (with ProxyRequests on). In configurations that mix forward and reverse proxy declarations, attackers can redirect requests to declared Unix Domain Socket endpoints, potentially accessing internal services.

This vulnerability affects Apache HTTP Server versions 2.4.7 through 2.4.51 (inclusive), making it a significant concern for organizations running forward proxy configurations. The issue has broad implications across multiple platforms including Fedora, Debian, Oracle products, Apple macOS, and various enterprise applications that bundle Apache HTTP Server.

Critical Impact

Attackers can crash Apache HTTP Server instances causing service disruption, or exploit SSRF to access internal Unix Domain Socket endpoints that should not be externally accessible.

Affected Products

• Apache HTTP Server 2.4.7 through 2.4.51
• Fedora 34, 35, and 36
• Debian Linux 10.0 and 11.0
• Tenable.sc
• Oracle Communications Element Manager
• Oracle Communications Operations Monitor (versions 4.0, 4.3, 4.4, 5.0)
• Oracle Communications Session Report Manager
• Oracle Communications Session Route Manager
• Oracle HTTP Server (including versions 12.2.1.3.0 and 12.2.1.4.0)
• Oracle Instantis EnterpriseTrack (versions 17.1, 17.2, 17.3)
• Apple macOS and Mac OS X 10.15.7

Discovery Timeline

• December 20, 2021 - CVE-2021-44224 published to NVD
• November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-44224

Vulnerability Analysis

The vulnerability exists in Apache HTTP Server's proxy module when processing URI requests. When httpd is configured as a forward proxy using the ProxyRequests on directive, the server fails to properly validate incoming URI requests before dereferencing pointers associated with the request handling logic.

The dual nature of this vulnerability makes it particularly concerning. The NULL pointer dereference occurs when malformed URIs cause the server to attempt operations on uninitialized or invalid memory locations, resulting in immediate process termination. The SSRF component manifests in mixed proxy configurations where both forward and reverse proxy declarations coexist, allowing attackers to manipulate request routing to reach internal Unix Domain Socket endpoints.

The network-based attack vector with no authentication requirements means any remote attacker can potentially exploit this vulnerability against exposed Apache HTTP Server instances running vulnerable configurations.

Root Cause

The root cause is improper input validation (CWE-476: NULL Pointer Dereference) in the proxy request handling code. When processing specially crafted URIs, the Apache HTTP Server proxy module does not adequately verify that all required data structures are properly initialized before use. This leads to a NULL pointer dereference when the code attempts to access memory through an unvalidated pointer.

In mixed proxy configurations, the lack of proper URI scheme validation allows attackers to construct requests that bypass intended routing restrictions, enabling redirection to Unix Domain Socket endpoints that were only meant to be accessible through reverse proxy declarations.

Attack Vector

The attack is conducted remotely over the network without requiring any authentication or user interaction. An attacker can exploit this vulnerability by:

1. Identifying an Apache HTTP Server instance with forward proxy enabled (ProxyRequests on)
2. Crafting a malicious URI designed to trigger the NULL pointer dereference or SSRF condition
3. Sending the crafted request to the vulnerable server

For the SSRF variant, the attacker must target configurations where forward and reverse proxy declarations coexist. The crafted URI manipulates the proxy routing logic to direct requests to internal Unix Domain Socket endpoints, potentially accessing internal services, APIs, or application backends that should not be externally accessible.

The vulnerability is exploitable through standard HTTP requests, making it accessible via common tools and requiring no specialized exploitation frameworks.

Detection Methods for CVE-2021-44224

Indicators of Compromise

• Unexpected Apache httpd process crashes or restarts in error logs
• HTTP requests containing malformed or unusual URI schemes targeting proxy endpoints
• Access log entries showing requests directed at Unix Domain Socket paths (e.g., paths containing unix: scheme)
• Increased error log entries related to proxy module failures or segmentation faults

Detection Strategies

• Monitor Apache error logs for segmentation fault messages or NULL pointer dereference crashes
• Implement web application firewall (WAF) rules to detect and block malformed proxy requests
• Audit Apache configurations for ProxyRequests on directive and mixed forward/reverse proxy setups
• Deploy network intrusion detection signatures for suspicious proxy request patterns targeting Unix Domain Socket endpoints

Monitoring Recommendations

• Enable detailed logging for the Apache proxy module to capture request details for forensic analysis
• Set up automated alerting for Apache httpd process crashes or unexpected restarts
• Implement log aggregation and analysis to correlate proxy-related errors across multiple server instances
• Monitor for unusual internal service access patterns that may indicate successful SSRF exploitation

How to Mitigate CVE-2021-44224

Immediate Actions Required

• Update Apache HTTP Server to version 2.4.52 or later immediately
• If immediate patching is not possible, disable forward proxy functionality by removing or commenting out ProxyRequests on directive
• Review and audit all proxy configurations for mixed forward and reverse proxy declarations
• Implement network segmentation to limit exposure of Apache HTTP Server instances configured as forward proxies

Patch Information

Apache has released version 2.4.52 which addresses this vulnerability. Organizations should upgrade to this version or later to remediate the issue.

Patches and updated packages are available from:

• Apache HTTP Server Security Vulnerabilities
• Debian Security Advisory DSA-5035
• Oracle CPU January 2022 Security Alerts
• Oracle CPU April 2022 Security Alerts
• Apple Security Update HT213255
• Tenable Security Notification TNS-2022-01

Workarounds

• Disable forward proxy functionality by removing ProxyRequests on from Apache configuration if not required
• Restrict access to proxy endpoints using <Proxy> directives and access control rules to limit which clients can use proxy features
• Implement strict network access controls to prevent untrusted networks from reaching forward proxy endpoints
• Use a reverse proxy or load balancer in front of Apache to filter malicious requests before they reach vulnerable configurations

# Configuration example - Disable forward proxy or restrict access
# In httpd.conf or proxy.conf:

# Option 1: Disable forward proxy entirely (comment out or remove)
# ProxyRequests Off

# Option 2: If forward proxy is required, restrict access
<Proxy "*">
    Require ip 10.0.0.0/8
    Require ip 192.168.0.0/16
</Proxy>

# Ensure reverse proxy configurations are explicit
ProxyPass "/app" "unix:/var/run/app.sock|http://localhost/app"
ProxyPassReverse "/app" "http://localhost/app"