#VU93538 NULL pointer dereference in Apache HTTP Server - CVE-2024-36387

Cybersecurity Help s.r.o.

Published: 2024-07-01

Vulnerability identifier: #VU93538

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-36387

CWE-ID: CWE-476

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache HTTP Server
Server applications / Web servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when handling websocket over HTTP/2 connections. A remote attacker can send specially crafted data to the web server and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache HTTP Server: 2.4.55 - 2.4.59

External links
https://lists.apache.org/thread/8dslvr98bxcvzxz7cwq6h3q6h2xgk0oo

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat JBoss Core Services Apache HTTP Server

Anolis OS update for httpd

Multiple vulnerabilities in HPE HP-UX Apache Web Server

Multiple vulnerabilities in OpenShift Logging 5.8

Red Hat Enterprise Linux 9 update for mod_http2

Multiple vulnerabilities in Dell NetWorker And NetWorker Management Console

Multiple vulnerabilities in cPanel EasyApache

Multiple vulnerabilities in IBM Rational Build Forge

Multiple vulnerabilities in IBM Aspera Console

Gentoo update for Apache HTTPD