=====================================================================

                                  CERT-Renater

                       Note d'Information No. 2022/VULN200

_____________________________________________________________________

DATE                : 09/06/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache HTTP Server versions prior
                                   to 2.4.54.

=====================================================================
https://httpd.apache.org/security/vulnerabilities_24.html
_____________________________________________________________________


  Fixed in Apache HTTP Server 2.4.54

moderate: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)

     Inconsistent Interpretation of HTTP Requests ('HTTP Request 
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server 
allows an attacker to smuggle requests to the AJP server it 
forwards requests to. This issue affects Apache HTTP Server      Apache 
HTTP Server 2.4 version 2.4.53 and prior versions.

     Acknowledgements: Ricter Z @ 360 Noah Lab
     Reported to security team	2022-03-02
     Update 2.4.54 released	2022-06-08
     Affects	<=2.4.53


low: read beyond bounds in mod_isapi (CVE-2022-28330)

     Apache HTTP Server 2.4.53 and earlier on Windows may read beyond 
    bounds when configured to process requests with the mod_isapi 
module.

     Acknowledgements: The Apache HTTP Server project would like to 
  thank Ronald Crane (Zippenhop LLC) for reporting this issue

     Update 2.4.54 released	2022-06-08
     Affects	<=2.4.53


low: read beyond bounds via ap_rwrite() (CVE-2022-28614)

     The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier 
     may read unintended memory if an attacker can cause the server 
  to reflect very large input using ap_rwrite() or ap_rputs(),      such 
as with mod_luas r:puts() function.

     Acknowledgements: The Apache HTTP Server project would like to 
  thank Ronald Crane (Zippenhop LLC) for reporting this issue

     Update 2.4.54 released	2022-06-08
     Affects	<=2.4.53

low: Read beyond bounds in ap_strcmp_match() (CVE-2022-28615)

     Apache HTTP Server 2.4.53 and earlier may crash or disclose 
information due to a read beyond bounds in ap_strcmp_match()      when 
provided with an extremely large input buffer. While no      code 
distributed with the server can be coerced into such a      call, 
third-party modules or lua scripts that use      ap_strcmp_match() may 
hypothetically be affected.

     Acknowledgements: The Apache HTTP Server project would like      to 
thank Ronald Crane (Zippenhop LLC) for reporting this      issue

     Update 2.4.54 released	2022-06-08
     Affects	<=2.4.53

low: Denial of service in mod_lua r:parsebody (CVE-2022-29404)

     In Apache HTTP Server 2.4.53 and earlier, a malicious request 
to a lua script that calls r:parsebody(0) may cause a denial      of 
service due to no default limit on possible input size.

     Acknowledgements: The Apache HTTP Server project would like      to 
thank Ronald Crane (Zippenhop LLC) for reporting this issue

     Update 2.4.54 released	2022-06-08
     Affects	<=2.4.53


low: mod_sed denial of service (CVE-2022-30522)

     If Apache HTTP Server 2.4.53 is configured to do transformations 
    with mod_sed in contexts where the input to mod_sed may be very
      large, mod_sed may make excessively large memory allocations and 
     trigger an abort.

     Acknowledgements: This issue was found by Brian Moussalli from 
  the JFrog Security Research team

     Update 2.4.54 released	2022-06-08
     Affects	2.4.53


low: Information Disclosure in mod_lua with websockets (CVE-2022-30556)

     Apache HTTP Server 2.4.53 and earlier may return lengths to 
applications calling r:wsread() that point past the end of      the 
storage allocated for the buffer.

     Acknowledgements: The Apache HTTP Server project would like      to 
thank Ronald Crane (Zippenhop LLC) for reporting this issue

     Update 2.4.54 released	2022-06-08
     Affects	<=2.4.53


low: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism 
(CVE-2022-31813)

     Apache HTTP Server 2.4.53 and earlier may not send the 
X-Forwarded-* headers to the origin server based on client     side 
Connection header hop-by-hop mechanism.

     This may be used to bypass IP based authentication on the 
origin server/application.

     Acknowledgements: The Apache HTTP Server project would like to 
  thank Gaetan Ferry (Synacktiv) for reporting this issue

     Update 2.4.54 released	2022-06-08
     Affects	<=2.4.53



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================