www.belgium.be Logo of the federal government

Warning: Apache HTTP Server 2.4 - Several critical vulnerabilities patched

Reference: 
Advisory #2022-006
Version: 
1.0
Affected software: 
Apache HTTP Server 2.4 version <2.4.52
Type: 
Denial-of-Service and Remote Code Execution
CVE/CVSS: 

CVE-2022-22719: CVSS 7.5- Improper Initialization could lead to DoS

Sources

https://httpd.apache.org/security/vulnerabilities_24.html

Risks

  • An attacker could exploit CVE-2022-23943 by overwriting heap memory with provided data, this allows attackers to execute arbitrary code.
  • CVE-2022-22721 is a boundary error within LimitXMLRequestBody that could allow attackers to perform memory corruption and arbitrary code execution.
  • Improper validation of HTTP requests due to CVE-2022-22720 could allow attackers to perform HTTP header smuggling attacks, by the use of specially crafted HTTP requests.
  • An attacker crafted request body could cause CVE-2022-22719 to read a random memory area and cause the process to crash. This could be used to deploy a DoS attack.
  • Description

    Apache published a new version, 2.4.53, that contains fixes for several critical vulnerabilities currently present in Apache HTTP Server software. An unpatched Apache HTTP server exposes users to several HTTP server attacks. The successful exploitation of these flaws could lead to code execution or denial-of-service attacks. While exploitable there are no active exploitation attempts observed at the time of writing.

    JFrog released a security blog highlighting CVE-2022-23943 and giving a technical overview of the vulnerability.

    Recommended Actions

    The Centre for Cyber security Belgium recommends upgrading to Apache version 2.4.53 which contains fixes for the above mentioned vulnerabilities with the highest priority. Updates can be found on the Apache HTTP Server Project

    If upgrading Apache to the latest version or applying the patch isn't possible, you are required to limit the POST method’s body size. This can be achieved with the LimitRequestBody directive in Apache’s configuration file. The directive can be used to set a limit to the request size starting from 0 and up to 2GB of data.

    This mitigation only provides protection against malicious client requests, it still allows attackers to use mod_sed to modify large files (>2GB) that are present on the vulnerable server.

    References

    https://jfrog.com/blog/diving-into-cve-2022-23943-a-new-apache-memory-corruption-vulnerability/

    https://access.redhat.com/security/cve/cve-2022-23943

    https://www.iicybersecurity.com/4-critical-vulnerabilities-patched-in-apache-http-server.html