ProHoster > Blog > internet news > Apache 2.4.54 http server release with vulnerabilities fixed

Apache 2.4.54 http server release with vulnerabilities fixed

Apache 2.4.53 HTTP server release has been published, which introduces 19 changes and fixes 8 vulnerabilities:

  • CVE-2022-31813 is a vulnerability in mod_proxy that can block the sending of X-Forwarded-* headers with information about the IP address from which the original request came from. The problem can be used to bypass access restrictions based on IP addresses.
  • CVE-2022-30556 is a vulnerability in mod_lua that allows access to data outside the allocated buffer through manipulations with the r:wsread() function in Lua scripts.
  • CVE-2022-30522 - Denial of service (out of available memory) while processing certain data by mod_sed.
  • CVE-2022-29404 - mod_lua denial of service exploited by sending specially crafted requests to Lua handlers using the r:parsebody(0) call.
  • CVE-2022-28615, CVE-2022-28614 - Denial of service or access to data in process memory due to errors in ap_strcmp_match() and ap_rwrite() functions, resulting in reading from a region outside the buffer boundary.
  • CVE-2022-28330 - Out-of-bounds information leak in mod_isapi (problem only appears on Windows platform).
  • CVE-2022-26377 - The mod_proxy_ajp module is susceptible to "HTTP Request Smuggling" attacks on front-end-backend systems that allow the content of other user's requests processed in the same thread between the front-end and back-end to be wedge-in.

The most notable non-security changes are:

  • mod_ssl makes the SSLFIPS mode compatible with OpenSSL 3.0.
  • The ab utility implements support for TLSv1.3 (requires binding to an SSL library that supports this protocol).
  • In mod_md, the MDCertificateAuthority directive allows more than one CA name and URL. Added new directives: MDRetryDelay (defines the delay before sending a retry request) and MDRetryFailover (defines the number of retries in case of failure before choosing an alternative CA). Added support for the "auto" state when displaying values ​​in the "key: value" format. Provided the ability to manage certificates for Tailscale secure VPN users.
  • The mod_http2 module has been cleaned of unused and unsafe code.
  • mod_proxy provides reflection of the backend network port in error messages written to the log.
  • In mod_heartmonitor, the value of the HeartbeatMaxServers parameter has been changed from 0 to 10 (initialization of 10 shared memory slots).

Source: opennet.ru

Add a comment