CVE-2022-28614 The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs().

Reportedly, ap_rputs() is used to send data to the client in mod_proxy. If a proxy module is compiled with the 'ap_rputs' function and is passed a very large string, the module may read beyond the end of the allocated memory and trigger a segmentation fault.

Red Hat Enterprise Linux 5, Centos 5, and similar Linux distributions are not officially supported. However, the issue may be resolved by upgrading to Apache HTTP Server 2.4.88 or later. End-users who have issues with the ap_rputs() function may try one of the following workarounds: In the proxy module, set the length of the requested data using the length directive. For example: # length length=10k; # length length=999; Alternatively, use the '\0' escape sequence to send a null character at the end of the data. For example: # length length=10k; # length length=\0; Apache HTTP Server 2.4.88 and later no longer use ap_rputs() or ap_rwrite() to send data to the client. Therefore, the issue may no longer be present.

Apache HTTP Server 2.2.x  2.4.x

Apache HTTP Server 2.2.x and Apache HTTP Server 2.4.x are supported on Red Hat Enterprise Linux 5, Centos 5, and similar Linux distributions. These versions of the server are not officially supported due to the use of ap_rputs() to send data to the client in mod_proxy (CVE-2022-28614).

Apache HTTP Server 2.4 and earlier

Apache HTTP Server 2.4 and earlier use ap_rputs() and ap_rwrite() to send data to the client. If a proxy module is compiled with these functions, it may read beyond the end of the allocated memory and trigger a segmentation fault. The following workarounds can be tried: In the proxy module, set the length of the requested data using the length directive. For example: # length length=10k; # length length=999; Alternatively, use the '\0' escape sequence to send a null character at the end of the data. For example: # length length=10k; # length length=\0;

Apache HTTP Server 2.4 and 2.2

Apache HTTP Server 2.4 no longer uses ap_rputs() or ap_rwrite(). Thus, this issue may no longer be necessary.

Timeline

Published on: 06/09/2022 17:15:00 UTC
Last modified on: 08/24/2022 18:25:00 UTC

References

• http://www.openwall.com/lists/oss-security/2022/06/08/4
• https://httpd.apache.org/security/vulnerabilities_24.html
• https://security.netapp.com/advisory/ntap-20220624-0005/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/
• https://security.gentoo.org/glsa/202208-20
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-28614