CVE-2021-26690 - NULL Pointer Dereference

Severity

75%

Complexity

39%

Confidentiality

60%

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service

CVSS 3.1 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0 Base Score 5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P).

Demo Examples

NULL Pointer Dereference

CWE-476

While there are no complete fixes aside from conscientious programming, the following steps will go a long way to ensure that NULL pointer dereferences do not occur.


               
}

                     

                           /* make use of pointer1 *//* ... */

If you are working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the if statement; and unlock when it has finished.

NULL Pointer Dereference

CWE-476

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.


               
}

                     
strcpy(hostname, hp->h_name);/*routine that ensures user_supplied_addr is in the right format for conversion */

If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference would then occur in the call to strcpy().

Note that this example is also vulnerable to a buffer overflow (see CWE-119).

NULL Pointer Dereference

CWE-476

In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method.


               
cmd = cmd.trim();

NULL Pointer Dereference

CWE-476

This application has registered to handle a URL when sent an intent:


               
}......

                     
}

                           
}
int length = URL.length();
...

The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.

Overview

First reported 3 years ago

2021-06-10 07:15:00

Last updated 3 years ago

2021-12-01 21:33:00

Affected Software

Apache Software Foundation Apache HTTP Server

Debian Linux 9.0

9.0

Oracle Instantis EnterpriseTrack 17.1

17.1

Oracle Instantis EnterpriseTrack 17.2

17.2

Oracle Instantis EnterpriseTrack 17.3

17.3

References

N/A

N/A

[httpd-announce] 20210609 CVE-2021-26690: mod_session NULL pointer dereference

[httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json

[oss-security] 20210609 CVE-2021-26690: Apache httpd: mod_session NULL pointer dereference

N/A

Release Notes, Vendor Advisory, Release Notes, Release Notes, Vendor Advisory, Vendor Advisory

N/A

Mailing List, Vendor Advisory, Mailing List, Mailing List, Vendor Advisory

[httpd-announce] 20210609 CVE-2021-26690: mod_session NULL pointer dereference

Vendor Advisory, Mailing List, Mailing List, Vendor Advisory

[httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json

Mailing List, Vendor Advisory, Mailing List, Mailing List, Vendor Advisory, Vendor Advisory

[oss-security] 20210609 CVE-2021-26690: Apache httpd: mod_session NULL pointer dereference

Mailing List, Third Party Advisory, Mailing List, Mailing List, Third Party Advisory, Third Party Advisory

N/A

Release Notes, Vendor Advisory

N/A

Mailing List, Vendor Advisory

[httpd-announce] 20210609 CVE-2021-26690: mod_session NULL pointer dereference

Mailing List, Vendor Advisory

[httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json

Mailing List, Vendor Advisory

[oss-security] 20210609 CVE-2021-26690: Apache httpd: mod_session NULL pointer dereference

Mailing List, Third Party Advisory

https://security.netapp.com/advisory/ntap-20210702-0001/

[debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update

DSA-4937

GLSA-202107-38

https://security.netapp.com/advisory/ntap-20210702-0001/

Third Party Advisory

[debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update

Mailing List, Third Party Advisory

DSA-4937

Mailing List, Third Party Advisory

GLSA-202107-38

Third Party Advisory

FEDORA-2021-dce7e7738e

FEDORA-2021-e3f6dd670d

https://www.oracle.com/security-alerts/cpuoct2021.html

FEDORA-2021-dce7e7738e

Mailing List, Third Party Advisory

FEDORA-2021-e3f6dd670d

Mailing List, Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.