Apache 2.4 Vulnerabilities
search cancel

Apache 2.4 Vulnerabilities

book

Article ID: 277855

calendar_today

Updated On:

Products

CA Automic Dollar Universe

Issue/Introduction

Multiple vulnerabilities reported during scan identified by below CVE's

CVE-2022-26377, CVE-2022-28330, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-31813

Environment

Component: Dollar Universe 6.x, 7.x

Resolution

  • CVE-2022-26377 : This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.
  • CVE-2022-28330 : Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module.
  • CVE-2022-28614 : The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory, if server uses the 'ap_rputs' function
  • CVE-2022-28615 : Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer.
  • CVE-2022-29404 : In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.
  • CVE-2022-30522 : If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.
  • CVE-2022-30556 : Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.
  • CVE-2022-31813 : Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application

The above vulnerabilities are about the Apache HTTP server and components of Dollar Universe are not impacted by above, as we don't use the Apache HTTP Server.

Please refer Third Party Software  Acknowledgements for more details around 3rd party libraries/software used in Dollar Universe.

 

 

 

 

 

 

 

Powered by Wolken Software