CVE-2022-22721 LimitXMLRequestBody can cause an integer overflow, which later causes out of bounds writes.

CVE-2022-22721 LimitXMLRequestBody can cause an integer overflow, which later causes out of bounds writes.

We have fixed the issue in Apache by setting the request limit to a lower value.

Apache HTTP Server 2.4.53 has been released with the following improvements: When LimitXMLHeaderSize is set to limit an invalid header size, Apache now disconnects the client connection instead of trying to send an invalid header. This prevents a denial of service attack where the client sends a malformed request which Apache cannot parse. This setting only applies to requests with a request body (e.g. PUT, POST, etc).

Added support for LimitXMLHeaderSize in Apache HTTP Server 2.4.52. For more information on the security impact of this issue, see our blog post: Denial of Service Vulnerability in Apache HTTP Server Affects PHP Applications The new LimitXMLHeaderSize option in Apache can significantly reduce the impact of the PHP “header buffer overflow” vulnerability. For more information on the security impact of this issue, see our blog post: Denial of Service Vulnerability in Apache HTTP Server Affects PHP Applications The new LimitXMLHeaderSize option in Apache can significantly reduce the impact of the PHP “header buffer overflow” vulnerability.

Fixed a crash in Apache when enabling mod_deflate or mod_scgi with certain configurations. This issue affects Apache HTTP Server 2.4.51 and earlier.

Fixed a crash in Apache when enabling mod_deflate or mod_scgi with certain configurations

Other Improvements

In Apache HTTP Server 2.4.53, we have fixed the issue in Apache by setting the request limit to a lower value.

Apache HTTP Server 2.4.53 has been released with the following improvements: When LimitXMLHeaderSize is set to limit an invalid header size, Apache now disconnects the client connection instead of trying to send an invalid header. This prevents a denial of service attack where the client sends a malformed request which Apache cannot parse. This setting only applies to requests with a request body (e.g. PUT, POST, etc).

Added support for LimitXMLHeaderSize in Apache HTTP Server 2.4.52. For more information on the security impact of this issue, see our blog post: Denial of Service Vulnerability in Apache HTTP Server Affects PHP Applications The new LimitXMLHeaderSize option in Apache can significantly reduce the impact of the PHP “header buffer overflow” vulnerability. For more information on the security impact of this issue, see our blog post: Denial of Service Vulnerability in Apache HTTP Server Affects PHP Applications The new LimitXMLHeaderSize option in Apache can significantly reduce the impact of the PHP “header buffer overflow” vulnerability.

Fixed a crash in Apache when enabling mod_deflate or mod_scgi with certain configurations. This issue affects Apache HTTP Server 2.4.51 and earlier.
Fixed a crash in Apache when enabling mod_

Apache HTTP Server 2.4.52

Apache HTTP Server 2.4.52 has been released with the following improvements:
When LimitXMLHeaderSize is set to limit an invalid header size, Apache now disconnects the client connection instead of trying to send an invalid header. This prevents a denial of service attack where the client sends a malformed request which Apache cannot parse. This setting only applies to requests with a request body (e.g. PUT, POST, etc).
Added support for LimitXMLHeaderSize in Apache HTTP Server 2.4.52. For more information on the security impact of this issue, see our blog post: Denial of Service Vulnerability in Apache HTTP Server Affects PHP Applications The new LimitXMLHeaderSize option in Apache can significantly reduce the impact of the PHP “header buffer overflow” vulnerability. For more information on the security impact of this issue, see our blog post: Denial of Service Vulnerability in Apache HTTP Server Affects PHP Applications The new LimitXMLHeaderSize option in Apache can significantly reduce the impact of the PHP “header buffer overflow” vulnerability.
Fixed a crash in Apache when enabling mod_deflate or mod_scgi with certain configurations

Security Enhancements in Apache HTTP Server 2.4.52

The new LimitXMLHeaderSize option in Apache can significantly reduce the impact of the PHP “header buffer overflow” vulnerability.
For more information on the security impact of this issue, see our blog post: Denial of Service Vulnerability in Apache HTTP Server Affects PHP Applications

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe