null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
Weakness
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Http_server | Apache | 2.4.0 (including) | 2.4.60 (excluding) |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-httpd-0:2.4.57-13.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_http2-0:1.15.19-41.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_jk-0:1.2.49-11.redhat_1.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_md-1:2.4.24-11.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_proxy_cluster-0:1.3.20-8.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_security-0:2.9.3-40.el8jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-httpd-0:2.4.57-13.el7jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_http2-0:1.15.19-41.el7jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_jk-0:1.2.49-11.redhat_1.el7jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_md-1:2.4.24-11.el7jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_proxy_cluster-0:1.3.20-8.el7jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_security-0:2.9.3-40.el7jbcs | * |
| Red Hat Enterprise Linux 7.7 Advanced Update Support | RedHat | httpd-0:2.4.6-90.el7_7.4 | * |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | RedHat | httpd-0:2.4.6-99.el7_9.2 | * |
| Red Hat Enterprise Linux 8 | RedHat | httpd:2.4-8100020240712114234.489197e6 | * |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | RedHat | httpd:2.4-8020020240720043142.4cda2c84 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | httpd:2.4-8040020240720035525.522a0ee4 | * |
| Red Hat Enterprise Linux 8.4 Telecommunications Update Service | RedHat | httpd:2.4-8040020240720035525.522a0ee4 | * |
| Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions | RedHat | httpd:2.4-8040020240720035525.522a0ee4 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | httpd:2.4-8060020240719220036.ad008a3a | * |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | httpd:2.4-8060020240719220036.ad008a3a | * |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | httpd:2.4-8060020240719220036.ad008a3a | * |
| Red Hat Enterprise Linux 8.8 Extended Update Support | RedHat | httpd:2.4-8080020240717184413.63b34585 | * |
| Red Hat Enterprise Linux 9 | RedHat | httpd-0:2.4.57-11.el9_4 | * |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | RedHat | httpd-0:2.4.51-7.el9_0.7 | * |
| Red Hat Enterprise Linux 9.2 Extended Update Support | RedHat | httpd-0:2.4.53-11.el9_2.8 | * |
| Text-Only JBCS | RedHat | jbcs-httpd24-httpd | * |
| Apache2 | Ubuntu | devel | * |
| Apache2 | Ubuntu | esm-infra/bionic | * |
| Apache2 | Ubuntu | esm-infra/focal | * |
| Apache2 | Ubuntu | esm-infra/xenial | * |
| Apache2 | Ubuntu | focal | * |
| Apache2 | Ubuntu | jammy | * |
| Apache2 | Ubuntu | mantic | * |
| Apache2 | Ubuntu | noble | * |
| Apache2 | Ubuntu | oracular | * |
| Apache2 | Ubuntu | plucky | * |
| Apache2 | Ubuntu | questing | * |
| Apache2 | Ubuntu | trusty/esm | * |
| Apache2 | Ubuntu | upstream | * |
Potential Mitigations
References
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://security.netapp.com/advisory/ntap-20240712-0001/
- http://seclists.org/fulldisclosure/2024/Oct/11
- http://www.openwall.com/lists/oss-security/2024/07/01/10
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://security.netapp.com/advisory/ntap-20240712-0001/