CVE-2021-20325 – CVE-2021-20325 is a Red Hat-specific security r... (How to Fix)

Q: What is the severity of CVE-2021-20325?

CVE-2021-20325 has a CVSS score of 9.8 (CRITICAL). CVE-2021-20325 is a Red Hat-specific security regression where fixes for CVE-2021-40438 and CVE-2021-26691 were missing in httpd packages shipped with RHEL 8.5.0, making systems vulnerable to those CVEs even though they were properly fixed in RHEL 8.4. This affects users who installed or updated to RHEL 8.5.0.

📋 TL;DR

CVE-2021-20325 is a Red Hat-specific security regression where fixes for CVE-2021-40438 and CVE-2021-26691 were missing in httpd packages shipped with RHEL 8.5.0, making systems vulnerable to those CVEs even though they were properly fixed in RHEL 8.4. This affects users who installed or updated to RHEL 8.5.0.

💻 Affected Systems

Products:

httpd (Apache HTTP Server)

Versions: Red Hat Enterprise Linux 8.5.0 specifically

Operating Systems: Red Hat Enterprise Linux 8.5.0

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Red Hat's packaged versions in RHEL 8.5.0; upstream Apache versions are not affected.

📦 What is this software?

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise via the underlying vulnerabilities (CVE-2021-40438 and CVE-2021-26691) that should have been patched.

🟠

Likely Case

Denial of service, information disclosure, or privilege escalation depending on which underlying CVE is exploited.

🟢

If Mitigated

No impact if systems are properly patched or workarounds are applied.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploits target the underlying CVEs (CVE-2021-40438 and CVE-2021-26691) which have known vulnerabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to RHEL 8.5.0 with corrected httpd packages or later versions

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=2017321

Restart Required: Yes

Instructions:

1. Update system: sudo yum update httpd 2. Verify update: rpm -q httpd 3. Restart httpd: sudo systemctl restart httpd

🔧 Temporary Workarounds

Downgrade to RHEL 8.4

linux

Revert to RHEL 8.4 where the fixes were properly applied

Consult Red Hat support for downgrade procedures

Disable affected modules

linux

Disable mod_proxy or other modules if not needed to reduce attack surface

Comment out LoadModule lines in httpd.conf for unused modules

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems
Use web application firewall (WAF) rules to block exploit patterns

🔍 How to Verify

Check if Vulnerable:

Check RHEL version and httpd package: cat /etc/redhat-release && rpm -q httpd

Check Version:

rpm -q httpd --queryformat '%{VERSION}-%{RELEASE}\n'

Verify Fix Applied:

Verify httpd package version is updated and matches fixed release from Red Hat advisory

📡 Detection & Monitoring

Log Indicators:

Unusual requests to mod_proxy endpoints
Error logs showing malformed requests

Network Indicators:

Exploit traffic patterns for CVE-2021-40438 and CVE-2021-26691

SIEM Query:

source="apache" AND (error_code="500" OR request_uri CONTAINS "proxy")

📊 Metadata

CVE ID: CVE-2021-20325

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: February 18, 2022

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=2017321 Issue Tracking,Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2017321 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20325, you might also want to check these: