The issue may be mitigated by limiting the size of the lua script or module being loaded. Apache HTTP server does not limit the length of the path parameter that can be passed to the lua module. This can lead to remote code execution when unvalidated user-provided input is passed to ap_strcmp_match() . As ap_strcmp_match() is used by all modules that handle static content (e.g. mod_php ), it is possible for unvalidated user-provided input to be used by arbitrary code on other hosts. For example, if a remote user uploads a file with a length of 1GB to an innocent-looking website and that website then serves that file directly, Apache HTTP server will crash as the buffer provided to ap_strcmp_match() will be too large.
Mitigation
The issue may be mitigated by limiting the size of the lua script or module being loaded.
Apache HTTP server code execution vulnerability
The Apache HTTP Server is vulnerable to remote code execution. With this vulnerability, an attacker can run arbitrary code on any Apache HTTP Server instance running the vulnerable version of the software. This flaw can be exploited in multiple ways, including a denial-of-service attack, where an attacker floods the server with a large file. This can also be exploited by an attacker to gain access to sensitive data stored in memory. The most common exploit vector for this vulnerability is via uploading a file as it is referenced by another URL that was not sanitized properly by the developer.
CVE-2023-28616
The issue may be mitigated by limiting the size of the lua script or module being loaded. Apache HTTP server does not limit the length of the path parameter that can be passed to the lua module. This can lead to remote code execution when unvalidated user-provided input is passed to ap_strcmp_match() . As ap_strcmp_match() is used by all modules that handle static content (e.g. mod_php ), it is possible for unvalidated user-provided input to be used by arbitrary code on other hosts. For example, if a remote user uploads a file with a length of 1GB to an innocent-looking website and that website then serves that file directly, Apache HTTP server will crash as the buffer provided to ap_strcmp_match() will be too large.
# If you're looking for more information about how this vulnerability works in practice, check out http://wiki.apache.org/security/CVE-2022-28615
Timeline
Published on: 06/09/2022 17:15:00 UTC
Last modified on: 08/24/2022 18:17:00 UTC
References
- https://httpd.apache.org/security/vulnerabilities_24.html
- http://www.openwall.com/lists/oss-security/2022/06/08/9
- https://security.netapp.com/advisory/ntap-20220624-0005/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/
- https://security.gentoo.org/glsa/202208-20
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-28615