Security Vulnerabilities fixed in Apache HTTP Server 2.4.54

Description

Apache HTTP Server 2.4.53 and earlier if configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abor, also a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. HTTP Request Smuggling vulnerability exists in mod_proxy_ajp of Apache HTTP Server, which allows an attacker to smuggle requests to the AJP server it forwards requests to. A read beyond bounds when configured to process requests with the mod_isapi module is also seen. An integer overflow vulnerability is also seen with the ap_rwrite() function where an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue. Integer oveflow can also be triggered when ap_strcmp_match() is provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. Insufficient Verification of Data Authenticity due to X-Forwarded-* headers not being sent to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. Exposing information because r:wsread() that point past the end of the storage allocated for the buffer.

Affected Applications

HTTP Server

CVE References

CVE-2022-30522 CVE-2022-28330 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-26377 CVE-2022-30556 CVE-2022-31813

Other References

https://httpd.apache.org/security/vulnerabilities_24.html