=====================================================================

                                CERT-Renater

                      Note d'Information No. 2021/VULN118
_____________________________________________________________________

DATE                : 16/03/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache HTTP Server versions prior
                                       to 2.4.53.

=====================================================================
https://lists.apache.org/thread/44461pf81t6qvg301ktd4brxh98oq8h3
https://lists.apache.org/thread/xvht0v4501jw3m9blvpqq1dhvvwoj4sq
https://lists.apache.org/thread/60xz1qrhrx4wxpqh9cnjpkko09hb71dj
https://lists.apache.org/thread/fzdgfxwmly0jxsrwy6lxqto4gn7b8fcy
_____________________________________________________________________

CVE-2022-22719: Apache HTTP Server: mod_lua Use of uninitialized value 
of in r:parsebody

Severity: moderate

Description:

A carefully crafted request body can cause a read to a random memory 
area which could cause the process to crash.

This issue affects Apache HTTP Server 2.4.52 and earlier.


Credit:

Chamal De Silva

_____________________________________________________________________

CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP 
Server 2.4.52 and earlier

Severity: important


Description:

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection 
when errors are encountered discarding the request body, exposing the 
server to HTTP Request Smuggling


Credit:

James Kettle <james.kettle portswigger.net>

_____________________________________________________________________

CVE-2022-22721: Apache HTTP Server: core: Possible buffer overflow with 
very large or unlimited LimitXMLRequestBody

Severity: low


Description:

If LimitXMLRequestBody is set to allow request bodies larger than 350MB 
(defaults to 1M) on 32 bit systems an integer overflow happens which 
later causes out of bounds writes.

This issue affects Apache HTTP Server 2.4.52 and earlier.


Credit:

Anonymous working with Trend Micro Zero Day Initiative

_____________________________________________________________________

CVE-2022-23943: Apache HTTP Server: mod_sed: Read/write beyond bounds

Severity: important


Description:

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server 
allows an attacker to overwrite heap memory with possibly attacker 
provided data.

This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.


Credit:

Ronald Crane (Zippenhop LLC)


___________________________________________________________________

                 Apache HTTP Server 2.4.53 Released

    March 09, 2022

    The Apache Software Foundation and the Apache HTTP Server Project
    are pleased to announce the release of version 2.4.53 of the Apache
    HTTP Server ("Apache").  This version of Apache is our latest GA
    release of the new generation 2.4.x branch of Apache HTTPD and
    represents fifteen years of innovation by the project, and is
    recommended over all previous releases. This release of Apache is
    a feature and bug fix release.

    We consider this release to be the best version of Apache available,
    and encourage users of all prior versions to upgrade.

    Apache HTTP Server 2.4.53 is available for download from:

      https://httpd.apache.org/download.cgi

    Apache 2.4 offers numerous enhancements, improvements, and
    performance boosts over the 2.2 codebase.  For an overview of new
    features introduced since 2.4 please see:

      https://httpd.apache.org/docs/trunk/new_features_2_4.html

    Please see the CHANGES_2.4 file, linked from the download page, for a
    full list of changes. A condensed list, CHANGES_2.4.53 includes only
    those changes introduced since the prior 2.4 release.  A summary of
    all of the security vulnerabilities addressed in this and earlier
    releases is available:

      https://httpd.apache.org/security/vulnerabilities_24.html

    This release requires the Apache Portable Runtime (APR), minimum
    version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may
    require the 1.6.x version of both APR and APR-Util. The APR libraries
    must be upgraded for all features of httpd to operate correctly.

    This release builds on and extends the Apache 2.2 API.  Modules
    written for Apache 2.2 will need to be recompiled in order to run
    with Apache 2.4, and require minimal or no source code changes.

      https://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING

    When upgrading or installing this version of Apache, please bear in
    mind that if you intend to use Apache with one of the threaded MPMs
    (other than the Prefork MPM), you must ensure that any modules you
    will be using (and the libraries they depend on) are thread-safe.

    Please note the 2.2.x branch has now passed the end of life at the
    Apache HTTP Server project and no further activity will occur
    including security patches.  Users must promptly complete their
    transitions to this 2.4.x release of httpd to benefit from further
    bug fixes or new features.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================