#VU7116 NULL pointer dereference in Apache HTTP Server
Vulnerability identifier: #VU7116
Vulnerability risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-592
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Apache HTTP Server
Server applications /
Web servers
Vendor: Apache Foundation
Description
The vulnerability allows a remote attacker to perform denial of service attack.
The vulnerability exists due to a NULL pointer dereference error within mod_ssl module, when third-party modules call ap_hook_process_connection() function during an HTTP request to an HTTPS port. A remote attacker can send a specially crafted HTTP request and crash the affected web server.
Mitigation
Update Apache HTTP server to version 2.2.34 or 2.4.26.
Vulnerable software versions
Apache HTTP Server: 2.2.0 - 2.4.25
External links
http://httpd.apache.org/security/vulnerabilities_22.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
