CVE-2021-36160
7.5 HIGH
📋 TL;DR
CVE-2021-36160 is an out-of-bounds read vulnerability in Apache HTTP Server's mod_proxy_uwsgi module. A specially crafted URI path can cause the server to read beyond allocated memory boundaries, leading to a crash and denial of service. This affects Apache HTTP Server versions 2.4.30 through 2.4.48 when mod_proxy_uwsgi is enabled.
💻 Affected Systems
Products:
- Apache HTTP Server
Versions: 2.4.30 to 2.4.48 (inclusive)
Operating Systems: All operating systems running affected Apache versions
Default Config Vulnerable:
✅ No
Notes: Only vulnerable when mod_proxy_uwsgi module is enabled and configured. Default Apache installations typically do not have this module enabled.
📦 What is this software?
Brocade Fabric Operating System Firmware by Broadcom
View all CVEs affecting Brocade Fabric Operating System Firmware →
Communications Cloud Native Core Network Function Cloud Native Environment by Oracle
View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →
Enterprise Manager Base Platform by Oracle
Enterprise Manager Base Platform by Oracle
Fedora by Fedoraproject
Fedora by Fedoraproject
Peoplesoft Enterprise Peopletools by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for the Apache HTTP Server, potentially affecting all hosted websites and applications.
Likely Case
Service disruption through server crashes requiring manual restart, leading to availability issues.
If Mitigated
Minimal impact if mod_proxy_uwsgi is disabled or proper request filtering is implemented.
🌐 Internet-Facing: HIGH - Apache servers with mod_proxy_uwsgi enabled and exposed to the internet are directly vulnerable to unauthenticated DoS attacks.
🏢 Internal Only: MEDIUM - Internal attackers could still cause service disruption, but external threat actors are more likely to exploit.
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
LIKELY
Unauthenticated Exploit:
⚠️ Yes
Complexity:
LOW
Exploitation requires sending a specially crafted URI path to a vulnerable Apache server with mod_proxy_uwsgi enabled. The vulnerability is well-documented in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache HTTP Server 2.4.49
Vendor Advisory: http://httpd.apache.org/security/vulnerabilities_24.html
Restart Required: Yes
Instructions:
1. Download Apache HTTP Server 2.4.49 or later from the official Apache website. 2. Stop the Apache service. 3. Install the updated version. 4. Restart the Apache service. 5. Verify the version is 2.4.49 or higher.
🔧 Temporary Workarounds
Disable mod_proxy_uwsgi
allRemove or comment out the mod_proxy_uwsgi module from Apache configuration
# Edit httpd.conf or appropriate config file
# Comment out: LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
# Or remove the line entirely
# Then restart Apache: systemctl restart httpd
Implement request filtering
allUse mod_rewrite or WAF to filter suspicious URI paths
# Add to Apache configuration:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/[a-zA-Z0-9._~!$&'()*+,;=:@/-]*$
RewriteRule ^ - [F]
🧯 If You Can't Patch
- Disable mod_proxy_uwsgi module if not required for functionality
- Implement network segmentation to limit access to vulnerable servers
- Deploy a web application firewall (WAF) with DoS protection rules
- Monitor server logs for unusual URI patterns and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check Apache version and mod_proxy_uwsgi status: httpd -v and check configuration files for LoadModule proxy_uwsgi_moduleCheck Version:
httpd -vVerify Fix Applied:
Verify Apache version is 2.4.49 or higher: httpd -v | grep 'Apache/2\.4\.'📡 Detection & Monitoring
Log Indicators:
- Apache process crashes
- Segmentation fault errors in error_log
- Unusual URI patterns with special characters
- Multiple connection resets
Network Indicators:
- Unusual HTTP requests with malformed URI paths
- Increased 5xx error responses
- Sudden service unavailability
SIEM Query:
source="apache_error.log" AND ("segmentation fault" OR "core dumped" OR "SIGSEGV")🔗 References
- http://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r73260f6ba9fb52e43d860905fc90462ba5a814afda2d011f32bbd41c%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r7f2746e916ed370239bc1a1025e5ebbf345f79df9ea0ea39e44acfbb%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r94a61a1517133a19dcf40016e87454ea86e355d06a0cec4c778530f3%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/ra1c05a392587bfe34383dffe1213edc425de8d4afc25b7cefab3e781%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/ra87a69d0703d09dc52b86e32b08f8d7327af10acdd5f577a4e82596a%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rb2341c8786d0f9924f5b666e82d8d170b4804f50a523d750551bef1a%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaff57253fef341d%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2904a17ded21a70%40%3Ccvs.httpd.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/09/msg00016.html
- https://lists.debian.org/debian-lts-announce/2021/10/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20211008-0004/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ
- https://www.debian.org/security/2021/dsa-4982
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- http://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r73260f6ba9fb52e43d860905fc90462ba5a814afda2d011f32bbd41c%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r7f2746e916ed370239bc1a1025e5ebbf345f79df9ea0ea39e44acfbb%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r94a61a1517133a19dcf40016e87454ea86e355d06a0cec4c778530f3%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/ra1c05a392587bfe34383dffe1213edc425de8d4afc25b7cefab3e781%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/ra87a69d0703d09dc52b86e32b08f8d7327af10acdd5f577a4e82596a%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rb2341c8786d0f9924f5b666e82d8d170b4804f50a523d750551bef1a%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaff57253fef341d%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2904a17ded21a70%40%3Ccvs.httpd.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/09/msg00016.html
- https://lists.debian.org/debian-lts-announce/2021/10/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20211008-0004/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ
- https://www.debian.org/security/2021/dsa-4982
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
