Error in the affected Software/OS description?

boblee · March 12, 2024, 1:45pm

Hi,

I got the Apache HTTP Server < 2.4.48 NULL Pointer Dereference Vulnerability - Linux (OID: 1.3.6.1.4.1.25623.1.0.117232) in my last scan regarding CVE-2021-31618.

In the description for affected Software/OS it says that all Apache HTTP Servers before version 2.4.48 on Linux are vulnerable. However, NVD states the following: “This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only”.

Is this something that could be updated?

cfi · March 12, 2024, 2:20pm

Hello,

and welcome to this community forum.

It seems this is not actual a “real” error as the vendor initially stated that <= 2.4.47 is affected like seen on the initial published advisory page here:

https://web.archive.org/web/20210603195110/http://httpd.apache.org/security/vulnerabilities_24.html

an the VT has been created back then in 2021 based on that published version info.

So technically speaking it actually was correct based on the available info back then.

But in this specific case the vendor probably had corrected the wrongly published version info in the meantime without any additional follow-up announcement or marking the done update as such (on that page) so it can always happen that required updates are not getting noticed. :-/

Nonetheless the VT in question can be indeed updated based on the newly available info, this will happen in the next few days.

cfi · March 12, 2024, 2:25pm

One additional important note:

The VT in question has a “low” ( < 70 %) Quality of Detection (QoD) not showing up by default in reports. While the VT could be updated please be aware that using a non-default filter will show VTs which are generally more false positive prone.

More reading about the QoD concept is available at the 11.2.6 Quality of Detection Concept section of the manual.

boblee · March 12, 2024, 2:37pm

Thanks for the fast reply. I am currently doing my bachelor thesis and are investigating vulnerabilities with low QoDs found in a company network. Interesting to see how many of them that are actually real vulnerabilities and not just false positives. I will probably ask more questions in the near future if something else catches my eye:)

cfi · March 12, 2024, 2:42pm

Oh, and strange enough oss-security - Re: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request even says:

in fact it was fixed in 2.4.47

while Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project actually says:

This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only
snip
Affects 2.4.47

One of the many pitfalls with (automated) vulnerability scanning, the results can be only as good as the vendor is publishing reliable info on the affected and fixed versions

cfi · March 13, 2024, 2:51pm

Two short additional notes:

I have checked all VTs for Apache HTTP Server CVEs from the year 2021 through 2024 and it seems the vendor hasn’t published additional updates (so far) to the relevant advisories
I have also left a short comment on the previously mentioned mailing list posting about the still existing inconsistencies: oss-security - Re: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request