CVE-2021-31618: 
Apache HTTP Server vulnerability analysis and mitigation

CVE-2021-31618 is a vulnerability in Apache HTTP Server's HTTP/2 protocol handler that was discovered in 2021. The issue affected modhttp2 1.15.17 and Apache HTTP Server version 2.4.47 only (Apache HTTP Server 2.4.47 was never released). The vulnerability was reported by LI ZHI XIN from NSFocus Security Team ([Apache Advisory](http://httpd.apache.org/security/vulnerabilities24.html), OSS Security).

The vulnerability occurs when the HTTP/2 protocol handler checks received request headers against size limitations configured for the server. When these restrictions are violated, an HTTP response is sent to the client with a status code indicating the rejection reason. However, this rejection response was not fully initialized in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a footer. This led to a NULL pointer dereference on uninitialized memory, causing the child process to crash reliably. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

Since the triggering HTTP/2 request is easy to craft and submit, this vulnerability can be exploited to cause a Denial of Service (DoS) condition on the server. The successful exploitation results in the crash of the child process, affecting the server's availability (OSS Security).

The vulnerability was addressed in subsequent versions of the Apache HTTP Server. Organizations using affected versions should upgrade to a patched version. Various vendors have released security updates to address this vulnerability, including Debian, Fedora, and others (Debian Security Advisory, Fedora Update).