Описание
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
A buffer overflow flaw in httpd's lua module could allow an out-of-bounds write. An attacker who is able to submit a crafted request to an httpd instance that is using the lua module may be able to cause an impact to confidentiality, integrity, and/or availability.
Отчет
httpd as shipped in Red Hat Enterprise Linux 6 is NOT affected by this flaw because it does not ship mod_lua.
Меры по смягчению последствий
Disabling mod_lua and restarting httpd will mitigate this flaw. See https://access.redhat.com/articles/10649 for more information.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | httpd | Not affected | ||
| Red Hat Enterprise Linux 9 | httpd | Not affected | ||
| Red Hat JBoss Core Services | jbcs-httpd24-httpd | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | httpd | Out of support scope | ||
| Red Hat Enterprise Linux 7 | httpd | Fixed | RHSA-2022:0143 | 17.01.2022 |
| Red Hat Enterprise Linux 7.3 Advanced Update Support | httpd | Fixed | RHSA-2022:1139 | 01.04.2022 |
| Red Hat Enterprise Linux 7.4 Advanced Update Support | httpd | Fixed | RHSA-2022:1138 | 01.04.2022 |
| Red Hat Enterprise Linux 7.6 Advanced Update Support(Disable again in 2026 - SPRHEL-7118) | httpd | Fixed | RHSA-2022:1136 | 01.04.2022 |
| Red Hat Enterprise Linux 7.6 Telco Extended Update Support | httpd | Fixed | RHSA-2022:1136 | 01.04.2022 |
| Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions | httpd | Fixed | RHSA-2022:1136 | 01.04.2022 |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
A carefully crafted request body can cause a buffer overflow in the mo ...
EPSS
9.8 Critical
CVSS3