CVE-2021-26691 – CVE-2021-26691 is a critical heap overflow vuln... (How to Fix)

Q: What is the severity of CVE-2021-26691?

CVE-2021-26691 has a CVSS score of 9.8 (CRITICAL). CVE-2021-26691 is a critical heap overflow vulnerability in Apache HTTP Server that allows remote attackers to execute arbitrary code or cause denial of service. Attackers can exploit this by sending specially crafted SessionHeader values to vulnerable servers. This affects Apache HTTP Server versions 2.4.0 through 2.4.46.

📋 TL;DR

CVE-2021-26691 is a critical heap overflow vulnerability in Apache HTTP Server that allows remote attackers to execute arbitrary code or cause denial of service. Attackers can exploit this by sending specially crafted SessionHeader values to vulnerable servers. This affects Apache HTTP Server versions 2.4.0 through 2.4.46.

💻 Affected Systems

Products:

Apache HTTP Server

Versions: 2.4.0 to 2.4.46

Operating Systems: All operating systems running affected Apache versions

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations using mod_session with SessionHeader directive are vulnerable. The vulnerability is in the session handling module.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Denial of service causing server crashes and service disruption, potentially leading to data corruption.

🟢

If Mitigated

Limited impact with proper network segmentation and WAF protection, but still vulnerable to DoS attacks.

🌐 Internet-Facing: HIGH - Apache HTTP Server is commonly internet-facing and the vulnerability requires no authentication.

🏢 Internal Only: MEDIUM - Internal Apache servers could be exploited by compromised internal hosts or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted SessionHeader values. Public proof-of-concept code exists and the vulnerability is relatively easy to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.47 and later

Vendor Advisory: http://httpd.apache.org/security/vulnerabilities_24.html

Restart Required: Yes

Instructions:

1. Download Apache HTTP Server 2.4.47 or later from the official Apache website. 2. Stop the Apache service. 3. Backup configuration files. 4. Install the new version. 5. Restore configuration files. 6. Start the Apache service. 7. Verify the service is running correctly.

🔧 Temporary Workarounds

Disable mod_session

all

Remove or comment out mod_session module loading to prevent exploitation

# Edit httpd.conf or appropriate config file
# Comment out: LoadModule session_module modules/mod_session.so
# Restart Apache: systemctl restart httpd

Use WAF protection

all

Configure Web Application Firewall to block malicious SessionHeader values

# Example ModSecurity rule
SecRule REQUEST_HEADERS:SessionHeader "@rx \\x00" "id:1001,phase:1,deny,status:400,msg:'CVE-2021-26691 exploit attempt'"
# Restart WAF service

🧯 If You Can't Patch

Implement strict network segmentation to isolate Apache servers from sensitive systems
Deploy intrusion detection/prevention systems to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Apache version with 'httpd -v' or 'apache2 -v' and verify if it's between 2.4.0 and 2.4.46

Check Version:

httpd -v 2>&1 | grep 'Server version' || apache2 -v 2>&1 | grep 'Server version'

Verify Fix Applied:

After patching, verify version is 2.4.47 or later with 'httpd -v' and test with sample exploit attempts

📡 Detection & Monitoring

Log Indicators:

Unusual SessionHeader values in access logs
Apache process crashes or segmentation faults
Large or malformed header values

Network Indicators:

Unusual traffic patterns to Apache servers
Exploit attempts with crafted SessionHeader values

SIEM Query:

source="apache_access" AND (SessionHeader="*\\x00*" OR SessionHeader="*%00*")

📊 Metadata

CVE ID: CVE-2021-26691

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: June 10, 2021

Last Updated: November 21, 2024

🔗 References

http://httpd.apache.org/security/vulnerabilities_24.html Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/06/10/7 Mailing List,Third Party Advisory
https://lists.apache.org/thread.html/r50cae1b71f1e7421069036b213c26da7d8f47dd59874e3bd956959fe%40%3Cannounce.httpd.apache.org%3E
https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E
https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E Mailing List,Release Notes,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/
https://security.gentoo.org/glsa/202107-38 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210702-0001/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4937 Mailing List,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory
http://httpd.apache.org/security/vulnerabilities_24.html Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/06/10/7 Mailing List,Third Party Advisory
https://lists.apache.org/thread.html/r50cae1b71f1e7421069036b213c26da7d8f47dd59874e3bd956959fe%40%3Cannounce.httpd.apache.org%3E
https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E
https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E Mailing List,Release Notes,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/
https://security.gentoo.org/glsa/202107-38 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210702-0001/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4937 Mailing List,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26691, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cloud Backup by Netapp

Debian Linux by Debian

Debian Linux by Debian

Enterprise Manager Ops Center by Oracle

Fedora by Fedoraproject

Fedora by Fedoraproject

Http Server by Apache

Instantis Enterprisetrack by Oracle

Instantis Enterprisetrack by Oracle

Instantis Enterprisetrack by Oracle

Secure Backup by Oracle

Zfs Storage Appliance Kit by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable mod_session

Use WAF protection

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities