Warning: Apache HTTP Server 2.4 - Several critical vulnerabilities patched
CVE-2022-22719: CVSS 7.5- Improper Initialization could lead to DoS
Sources
https://httpd.apache.org/security/vulnerabilities_24.html
Risks
Description
Apache published a new version, 2.4.53, that contains fixes for several critical vulnerabilities currently present in Apache HTTP Server software. An unpatched Apache HTTP server exposes users to several HTTP server attacks. The successful exploitation of these flaws could lead to code execution or denial-of-service attacks. While exploitable there are no active exploitation attempts observed at the time of writing.
JFrog released a security blog highlighting CVE-2022-23943 and giving a technical overview of the vulnerability.
Recommended Actions
The Centre for Cyber security Belgium recommends upgrading to Apache version 2.4.53 which contains fixes for the above mentioned vulnerabilities with the highest priority. Updates can be found on the Apache HTTP Server Project
If upgrading Apache to the latest version or applying the patch isn't possible, you are required to limit the POST method’s body size. This can be achieved with the LimitRequestBody directive in Apache’s configuration file. The directive can be used to set a limit to the request size starting from 0 and up to 2GB of data.
This mitigation only provides protection against malicious client requests, it still allows attackers to use mod_sed to modify large files (>2GB) that are present on the vulnerable server.
References
https://jfrog.com/blog/diving-into-cve-2022-23943-a-new-apache-memory-corruption-vulnerability/
https://access.redhat.com/security/cve/cve-2022-23943
https://www.iicybersecurity.com/4-critical-vulnerabilities-patched-in-apache-http-server.html