Vulnerability CVE-2022-22721: Information

Description

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

Severity: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-22721
Published: March 14, 2022
Modified: Nov. 7, 2023
Error type identifier: CWE-190

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
apache2sisyphus2.4.53-alt12.4.59-alt1ALT-PU-2022-1522-1296910Fixed
apache2sisyphus_e2k2.4.53-alt12.4.59-alt1ALT-PU-2022-4367-1-Fixed
apache2sisyphus_riscv642.4.53-alt12.4.59-alt1ALT-PU-2022-4318-1-Fixed
apache2p102.4.53-alt12.4.59-alt1ALT-PU-2022-1574-1296911Fixed
apache2p10_e2k2.4.53-alt12.4.59-alt1ALT-PU-2022-4409-1-Fixed
apache2p92.4.53-alt12.4.58-alt1ALT-PU-2022-1602-1296912Fixed
apache2p9_e2k2.4.53-alt12.4.57-alt2ALT-PU-2022-4735-1-Fixed
apache2c10f12.4.53-alt12.4.59-alt1ALT-PU-2022-1574-1296911Fixed
apache2c9f22.4.53-alt12.4.59-alt1ALT-PU-2022-1553-1296913Fixed
apache2p112.4.53-alt12.4.59-alt1ALT-PU-2022-1522-1296910Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://httpd.apache.org/security/vulnerabilities_24.html
  • Vendor Advisory
[oss-security] 20220314 CVE-2022-22721: Apache HTTP Server: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody
  • Mailing List
  • Third Party Advisory
https://security.netapp.com/advisory/ntap-20220321-0001/
  • Third Party Advisory
[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update
  • Mailing List
  • Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
  • Patch
  • Third Party Advisory
https://support.apple.com/kb/HT213256
  • Third Party Advisory
https://support.apple.com/kb/HT213257
  • Third Party Advisory
https://support.apple.com/kb/HT213255
  • Third Party Advisory
20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4
  • Third Party Advisory
20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina
  • Third Party Advisory
20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6
  • Third Party Advisory
N/A
  • Third Party Advisory
GLSA-202208-20
  • Third Party Advisory
FEDORA-2022-b4103753e9
    FEDORA-2022-21264ec6db
      FEDORA-2022-78e3211c55

          1. Configuration 1

            cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
            End including
            2.4.52

            Configuration 2

            cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
            cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
            cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

            Configuration 3

            cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

            Configuration 4

            cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*
            cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*
            cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
            cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

            Configuration 5

            cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
            Start including
            10.15
            End excliding
            10.15.7
            cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-001:*:*:*:*:*:*
            cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001:*:*:*:*:*:*
            cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-002:*:*:*:*:*:*
            cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-003:*:*:*:*:*:*
            cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-004:*:*:*:*:*:*
            cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-005:*:*:*:*:*:*
            cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-006:*:*:*:*:*:*
            cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-008:*:*:*:*:*:*
            cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-007:*:*:*:*:*:*
            cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-002:*:*:*:*:*:*
            cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-001:*:*:*:*:*:*
            cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
            Start including
            11.0
            End excliding
            11.6.6
            cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-003:*:*:*:*:*:*
            cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
            Start including
            12.0
            End excliding
            12.4
        VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
        Version: v24.5.3
        Back to top