CVE-2020-13950 – CVE-2020-13950 is a NULL pointer dereference vu... (How to Fix)

Q: What is the severity of CVE-2020-13950?

CVE-2020-13950 has a CVSS score of 7.5 (HIGH). CVE-2020-13950 is a NULL pointer dereference vulnerability in Apache HTTP Server's mod_proxy_http module that allows remote attackers to cause a denial of service by sending specially crafted HTTP requests with both Content-Length and Transfer-Encoding headers. This affects Apache HTTP Server versions 2.4.41 through 2.4.46 when mod_proxy_http is enabled. Organizations using vulnerable Apache versions with reverse proxy configurations are at risk.

📋 TL;DR

CVE-2020-13950 is a NULL pointer dereference vulnerability in Apache HTTP Server's mod_proxy_http module that allows remote attackers to cause a denial of service by sending specially crafted HTTP requests with both Content-Length and Transfer-Encoding headers. This affects Apache HTTP Server versions 2.4.41 through 2.4.46 when mod_proxy_http is enabled. Organizations using vulnerable Apache versions with reverse proxy configurations are at risk.

💻 Affected Systems

Products:

Apache HTTP Server

Versions: 2.4.41 to 2.4.46

Operating Systems: All operating systems running Apache HTTP Server

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when mod_proxy_http module is enabled and configured. Default Apache installations without proxy functionality are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of Apache HTTP Server, disrupting all web services and applications behind the proxy, potentially affecting business operations and availability.

🟠

Likely Case

Apache server crash requiring manual restart, causing temporary service disruption until the process is restored.

🟢

If Mitigated

Minimal impact with proper network segmentation, load balancing, and monitoring that can quickly detect and restart crashed instances.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP requests with conflicting Content-Length and Transfer-Encoding headers. The vulnerability is simple to exploit and has been publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.47 or later

Vendor Advisory: http://httpd.apache.org/security/vulnerabilities_24.html

Restart Required: Yes

Instructions:

1. Download Apache HTTP Server version 2.4.47 or later from the official Apache website. 2. Stop the Apache service. 3. Backup configuration files. 4. Install the updated version. 5. Restore configuration files. 6. Start the Apache service.

🔧 Temporary Workarounds

Disable mod_proxy_http

all

Remove or comment out mod_proxy_http module if proxy functionality is not required

# Comment out or remove 'LoadModule proxy_http_module modules/mod_proxy_http.so' in httpd.conf

Use mod_security rules

all

Block requests with both Content-Length and Transfer-Encoding headers

SecRule REQUEST_HEADERS:Content-Length "^.*$" "chain,id:1001,phase:1,deny,status:400"
SecRule REQUEST_HEADERS:Transfer-Encoding "^.*$" "t:none"

🧯 If You Can't Patch

Implement network-level filtering to block requests with both Content-Length and Transfer-Encoding headers
Deploy web application firewall (WAF) rules to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Apache version and verify mod_proxy_http is enabled: httpd -v && httpd -M | grep proxy_http

Check Version:

httpd -v

Verify Fix Applied:

Verify Apache version is 2.4.47 or later: httpd -v

📡 Detection & Monitoring

Log Indicators:

Apache crash logs
Segmentation fault errors in error_log
Requests with both Content-Length and Transfer-Encoding headers

Network Indicators:

HTTP requests containing both Content-Length and Transfer-Encoding headers
Sudden drop in proxy traffic

SIEM Query:

source="apache_access" AND (http_content_length AND http_transfer_encoding)

📊 Metadata

CVE ID: CVE-2020-13950

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: June 10, 2021

Last Updated: November 21, 2024

🔗 References

http://httpd.apache.org/security/vulnerabilities_24.html Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/06/10/4 Mailing List,Third Party Advisory
https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E
https://lists.apache.org/thread.html/rbe197409ae4a58b629fb792d1aed541ccbbf865121a80e1c5938d223%40%3Cannounce.httpd.apache.org%3E
https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E Mailing List,Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/
https://security.gentoo.org/glsa/202107-38 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210702-0001/ Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Third Party Advisory
http://httpd.apache.org/security/vulnerabilities_24.html Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/06/10/4 Mailing List,Third Party Advisory
https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E
https://lists.apache.org/thread.html/rbe197409ae4a58b629fb792d1aed541ccbbf865121a80e1c5938d223%40%3Cannounce.httpd.apache.org%3E
https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E Mailing List,Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/
https://security.gentoo.org/glsa/202107-38 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210702-0001/ Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13950, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Enterprise Manager Ops Center by Oracle

Fedora by Fedoraproject

Fedora by Fedoraproject

Http Server by Apache

Instantis Enterprisetrack by Oracle

Instantis Enterprisetrack by Oracle

Instantis Enterprisetrack by Oracle

Zfs Storage Appliance Kit by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable mod_proxy_http

Use mod_security rules

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities