Apple just announced a long list of fourteen CVE fixes in their Monterey 12.2 release notes.

Notably absent is CVE-2021-44224 (as patched December 20th, 2021 by Ubuntu).

Apache titled this flaw a “Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier”.

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). Credits: 漂亮é¼

Running on every 12.1 macOS is a bundled httpd version 2.4.51, so I find it curious that a 2021 critical CVE still isn’t mentioned in Apple’s latest upgrade announcement. It seems macOS isn’t affected by the proxy configuration issue here, yet it still deserves some mention from Apple.

The flaw in httpd (in proxy_util.c) for this CVE is reported to be basically this one line:

url = ap_proxy_de_socketfy(p, url);

And here was the change made, to verify that the called function also finds a string (URL):

url = ap_proxy_de_socketfy(p, url);
if (!url) {
return NULL;
}

In other words a patched httpd checks for NULL in the URL, as memory reads might otherwise attempt to use an undefined NULL pointer.