CVE-2021-44224

Q: What is the severity of CVE-2021-44224?

CVE-2021-44224 has a CVSS score of 8.2 (HIGH). This vulnerability in Apache HTTP Server allows attackers to crash the server via NULL pointer dereference or perform Server-Side Request Forgery (SSRF) when the server is configured as a forward proxy. It affects Apache HTTP Server versions 2.4.7 through 2.4.51. Organizations using Apache as a forward proxy or with mixed forward/reverse proxy configurations are at risk.

8.2 HIGH

Denial of Service SSRF

📋 TL;DR

This vulnerability in Apache HTTP Server allows attackers to crash the server via NULL pointer dereference or perform Server-Side Request Forgery (SSRF) when the server is configured as a forward proxy. It affects Apache HTTP Server versions 2.4.7 through 2.4.51. Organizations using Apache as a forward proxy or with mixed forward/reverse proxy configurations are at risk.

💻 Affected Systems

Products:

Apache HTTP Server

Versions: 2.4.7 through 2.4.51 (inclusive)

Operating Systems: All operating systems running affected Apache versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when ProxyRequests is enabled (forward proxy configuration) or when mixing forward and reverse proxy declarations.

📦 What is this software?

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

Learn more about Macos →

Macos by Apple

Learn more about Macos →

Tenable.sc by Tenable

View all CVEs affecting Tenable.sc →

Tenable.sc by Tenable

View all CVEs affecting Tenable.sc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full SSRF allowing attackers to send requests to internal Unix Domain Socket endpoints, potentially accessing sensitive internal services or data.

🟠

Likely Case

Denial of service through server crashes, disrupting proxy services and dependent applications.

🟢

If Mitigated

Limited impact if forward proxy functionality is disabled or proper network segmentation isolates proxy servers.

🌐 Internet-Facing: HIGH - Internet-facing Apache servers with forward proxy enabled are directly exploitable.

🏢 Internal Only: MEDIUM - Internal proxy servers could be exploited by internal attackers or through lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted URIs to vulnerable proxy endpoints. Public disclosures include technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache HTTP Server 2.4.52 and later

Vendor Advisory: http://httpd.apache.org/security/vulnerabilities_24.html

Restart Required: Yes

Instructions:

1. Download Apache HTTP Server 2.4.52 or later from official sources. 2. Backup current configuration. 3. Install updated version following Apache documentation. 4. Restart Apache service.

🔧 Temporary Workarounds

Disable forward proxy

all

Disable ProxyRequests directive to prevent exploitation

Set 'ProxyRequests Off' in httpd.conf or appropriate configuration file

Restrict proxy access

all

Use Require directives to limit which clients can use proxy

Add 'Require ip 192.168.1.0/24' or similar to proxy configuration sections

🧯 If You Can't Patch

Disable ProxyRequests directive immediately
Implement network-level restrictions to limit access to proxy endpoints

🔍 How to Verify

Check if Vulnerable:

Check Apache version and ProxyRequests configuration: 'httpd -v' and grep for 'ProxyRequests' in configuration files

Check Version:

httpd -v

Verify Fix Applied:

Verify Apache version is 2.4.52 or later: 'httpd -v | grep "Apache/2.4"'

📡 Detection & Monitoring

Log Indicators:

Unusual proxy requests with crafted URIs
Apache segmentation fault or crash logs
Requests to unusual Unix Domain Socket paths

Network Indicators:

HTTP requests with malformed URIs to proxy endpoints
Traffic patterns suggesting SSRF attempts

SIEM Query:

source="apache" AND (uri="*://*" OR error="segmentation fault")

📊 Metadata

CVE ID: CVE-2021-44224

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CWE: CWE-476

Published: December 20, 2021

Last Updated: November 21, 2024

🔗 References

http://httpd.apache.org/security/vulnerabilities_24.html Vendor Advisory
http://seclists.org/fulldisclosure/2022/May/33 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/35 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/38 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/20/3 Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFSWOH4X77CV7AH7C4RMHUBDWKQDL4YH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/
https://security.gentoo.org/glsa/202208-20 Third Party Advisory
https://security.netapp.com/advisory/ntap-20211224-0001/ Third Party Advisory
https://support.apple.com/kb/HT213255 Third Party Advisory
https://support.apple.com/kb/HT213256 Third Party Advisory
https://support.apple.com/kb/HT213257 Third Party Advisory
https://www.debian.org/security/2022/dsa-5035 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.tenable.com/security/tns-2022-01 Third Party Advisory
https://www.tenable.com/security/tns-2022-03 Third Party Advisory
http://httpd.apache.org/security/vulnerabilities_24.html Vendor Advisory
http://seclists.org/fulldisclosure/2022/May/33 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/35 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/38 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/20/3 Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFSWOH4X77CV7AH7C4RMHUBDWKQDL4YH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/
https://security.gentoo.org/glsa/202208-20 Third Party Advisory
https://security.netapp.com/advisory/ntap-20211224-0001/ Third Party Advisory
https://support.apple.com/kb/HT213255 Third Party Advisory
https://support.apple.com/kb/HT213256 Third Party Advisory
https://support.apple.com/kb/HT213257 Third Party Advisory
https://www.debian.org/security/2022/dsa-5035 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.tenable.com/security/tns-2022-01 Third Party Advisory
https://www.tenable.com/security/tns-2022-03 Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Communications Element Manager by Oracle

Communications Operations Monitor by Oracle

Communications Operations Monitor by Oracle

Communications Operations Monitor by Oracle

Communications Operations Monitor by Oracle

Communications Session Report Manager by Oracle

Communications Session Route Manager by Oracle

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Http Server by Apache

Http Server by Oracle

Http Server by Oracle

Http Server by Oracle

Instantis Enterprisetrack by Oracle

Instantis Enterprisetrack by Oracle

Instantis Enterprisetrack by Oracle

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Macos by Apple

Macos by Apple

Macos by Apple

Tenable.sc by Tenable

Tenable.sc by Tenable

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable forward proxy

Restrict proxy access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities