ProHoster > Blog > internet news > Apache 2.4.53 http server release with dangerous vulnerabilities fixed

Apache 2.4.53 http server release with dangerous vulnerabilities fixed

The release of Apache HTTP Server 2.4.53 has been published, which introduces 14 changes and fixes 4 vulnerabilities:

  • CVE-2022-22720 - the possibility of performing an HTTP Request Smuggling attack, which allows, by sending specially designed client requests, to wedge into the content of other users' requests transmitted via mod_proxy (for example, you can achieve the substitution of malicious JavaScript code into the session of another user of the site). The problem is caused by leaving open incoming connections after encountering errors while processing an invalid request body.
  • CVE-2022-23943 - A buffer overflow in the mod_sed module that allows overwriting the contents of the heap memory with attacker-controlled data.
  • CVE-2022-22721 - Write out of bounds due to an integer overflow that occurs when passing a request body larger than 350MB. The problem manifests itself on 32-bit systems in whose settings the LimitXMLRequestBody value is set too high (by default 1 MB, for an attack the limit must be higher than 350 MB).
  • CVE-2022-22719 is a vulnerability in mod_lua that allows reading random memory areas and crashing the process when processing a specially crafted request body. The problem is caused by the use of uninitialized values ​​in the r:parsebody function code.

The most notable non-security changes are:

  • In mod_proxy, the limit on the number of characters in the name of the handler (worker) has been increased. Added the ability to selectively configure timeouts for the backend and frontend (for example, in relation to a worker). For requests sent via websockets or the CONNECT method, the timeout has been changed to the maximum value set for the backend and frontend.
  • Separated handling of opening DBM files and loading the DBM driver. In the event of a crash, the log now displays more detailed information about the error and the driver.
  • mod_md stopped processing requests to /.well-known/acme-challenge/ unless the domain settings explicitly enabled the use of the 'http-01' challenge type.
  • mod_dav fixed a regression that caused high memory consumption when processing a large number of resources.
  • Added the ability to use the pcre2 (10.x) library instead of pcre (8.x) for processing regular expressions.
  • Support for LDAP anomaly analysis has been added to query filters to correctly screen data when attempting LDAP substitution attacks.
  • In mpm_event, a deadlock that occurs when restarting or exceeding the MaxConnectionsPerChild limit on highly loaded systems has been fixed.

Source: opennet.ru

Add a comment