2095012 – (CVE-2022-29404) CVE-2022-29404 httpd: mod_lua: DoS in r:parsebody

Bug 2095012 (CVE-2022-29404) - CVE-2022-29404 httpd: mod_lua: DoS in r:parsebody

Summary: CVE-2022-29404 httpd: mod_lua: DoS in r:parsebody

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-29404
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2095013 2097451 2097452 2097453
Blocks:	2095023
TreeView+	depends on / blocked

Reported:	2022-06-08 19:42 UTC by Guilherme de Almeida Suckevicz
Modified:	2024-03-18 13:39 UTC (History)
CC List:	48 users (show)
Fixed In Version:	httpd 2.4.54
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the mod_lua module of httpd. A malicious request to a Lua script that calls parsebody(0) can lead to a denial of service due to no default limit on the possible input size.
Clone Of:
Environment:
Last Closed:	2022-12-04 18:33:49 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:6753	None	None	None	2022-09-29 13:33:38 UTC
Red Hat Product Errata	RHSA-2022:7647	None	None	None	2022-11-08 09:59:53 UTC
Red Hat Product Errata	RHSA-2022:8067	None	None	None	2022-11-15 10:08:49 UTC

Description Guilherme de Almeida Suckevicz 2022-06-08 19:42:15 UTC

In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.

References:
https://httpd.apache.org/security/vulnerabilities_24.html
https://www.openwall.com/lists/oss-security/2022/06/08/5

Comment 1 Guilherme de Almeida Suckevicz 2022-06-08 19:42:32 UTC

Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 2095013]

Comment 8 errata-xmlrpc 2022-09-29 13:33:33 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6753 https://access.redhat.com/errata/RHSA-2022:6753

Comment 10 errata-xmlrpc 2022-11-08 09:59:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7647 https://access.redhat.com/errata/RHSA-2022:7647

Comment 11 errata-xmlrpc 2022-11-15 10:08:45 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8067 https://access.redhat.com/errata/RHSA-2022:8067

Comment 12 Product Security DevOps Team 2022-12-04 18:33:45 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-29404

Note You need to log in before you can comment on or make changes to this bug.

anon.amish
asoldano
bbaranow
bmaxwell
brian.stansberry
caswilli
cdewolf
chazlett
christoph.karl
csutherl
darran.lofthouse
dkreling
dosoudil
fjansen
fjuma
hhorak
iweiss
jburrell
jclere
jkaluza
jkoehler
jochrist
jorton
jwong
jwon
kaycoth
kyoshida
lgao
luhliari
micjohns
mmadzin
mosmerov
msochure
msvehla
mturk
nwallace
peholase
pjindal
plodge
pmackay
rstancel
rsvoboda
saroy
sid
smaestri
sthirugn
szappis
tom.jenkinson