CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier
Published Dec 20, 2021
·Updated
A buffer overflow flaw in httpd's lua module could allow an out-of-bounds write. An attacker who is able to submit a crafted request to an httpd instance that is using the lua module may be able to cause an impact to confidentiality, integrity, and/or availability.
Credit
CVE-2021-44224, CVE-2021-44790, CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, Lockheed Martin Red Team, an anonymous researcher, Jeremy Brown(Trend Micro Zero Day Initiative), Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Qi Sun(Trend Micro), Ye Zhang@@co0py_Cat(Baidu Security), Robert Ai(Trend Micro), Arsenii Kostromin (0x3c3e), Yonghwi Jin@@jinmo123(Theori), Linus Henze(Pinauten GmbH), Liu Long(Ant Security Light), Jack Dates(RET2 Systems Inc), Antonio Zekic@@antoniozekic, Jeonghoon Shin(Theori working with Trend Micro Zero Day Initiative), Peter Nguyễn Vũ Hoàng@@peternguyen14(STAR Labs), Ned Williamson(Google Project Zero), @@gorelics(BreakPoint), (BreakPoint), Ron Masas(BreakPoint), Wojciech Reguła@@_r3ggi(SecuRing), Arsenii Kostromin (0x3c3e)(Microsoft), Jonathan Bar Or(Microsoft), Zhipeng Huo@@R3dF09(Tencent Security Xuanwu Lab), Yuebin Sun@@yuebinsun2020(Tencent Security Xuanwu Lab), Max Shavrick@@_mxms(the Google Security Team), Zubair Ashraf(Crowdstrike), CVE-2022-0778, CVE-2022-23308, Mickey Jin@@patch1t, @@gorelics, Peter Nguyễn Vũ Hoàng(STAR Labs), Felix Poulin-Belanger, Antonio Cheong Yu Xuan(YCISCQ), CVE-2021-4136, CVE-2021-4166, CVE-2021-4173, CVE-2021-4187, CVE-2021-4192, CVE-2021-4193, CVE-2021-46059, CVE-2022-0128, Heige(KnownSec 404 Team), Bo Qu(Palo Alto Networks), Scarlet Raine, Wang Yu(Cyberserval), CVE-2022-0530, Tavis Ormandy, CVE-2021-45444, ABC Research s.r.o, Jon Thompson(Evolve), IA), actae0n(Blacksun Hackers Club working with Trend Micro Zero Day Initiative), Andrew Williams(Google), Avi Drissman(Google), chenyuwang@@mzzzz__(Tencent Security Xuanwu Lab), Jordy Zomer@@pwningsystems, Paul Walker(Bury), Nathaniel Ekoniak(Ennate Technologies), Gergely Kalman@@gergely_kalman(Mandiant), (Mandiant), Joshua Mason(Mandiant), Ron Waisberg(SecuRing), an anonymous researcher(SecuRing), (Perception Point), Ron Hass@@ronhass7(Perception Point), ryuzaki, Chijin Zhou(ShuiMuYuLin Ltd), Tsinghua wingtecher lab, Jeonghoon Shin(Theori), SorryMybad@@S0rryMybad(Kunlun Lab), Dongzhuo Zhao(ADLab of Venustech)
Affected Software
47 affected componentsFixes available
redhat/httpd<0:2.4.6-97.el7_9.4
0:2.4.6-97.el7_9.4
redhat/httpd<0:2.4.6-45.el7_3.8
0:2.4.6-45.el7_3.8
redhat/httpd<0:2.4.6-67.el7_4.9
0:2.4.6-67.el7_4.9
redhat/httpd<0:2.4.6-89.el7_6.4
0:2.4.6-89.el7_6.4
redhat/httpd<0:2.4.6-90.el7_7.3
0:2.4.6-90.el7_7.3
redhat/httpd24-httpd<0:2.4.34-23.el7.1
0:2.4.34-23.el7.1
debian/apache2
2.4.38-3+deb10u82.4.38-3+deb10u102.4.56-1~deb11u22.4.56-1~deb11u12.4.57-22.4.57-32.4.58-1
Apple macOS Big Sur<11.6.6
11.6.6
Apple Catalina
Apple macOS Monterey<12.4
12.4
Apache HTTP Server<=2.4.51
Fedoraproject Fedora=34
Fedoraproject Fedora=35
Fedoraproject Fedora=36
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Tenable Tenable.Sc>=5.16.0<5.20.0
NetApp Cloud Backup
Oracle Communications Element Manager<=9.0
Oracle Communications Operations Monitor=4.3
Oracle Communications Operations Monitor=4.4
Oracle Communications Operations Monitor=5.0
Oracle Communications Session Report Manager<=9.0
Oracle Communications Session Route Manager<=9.0
Oracle HTTP Server=12.2.1.3.0
Oracle HTTP Server=12.2.1.4.0
Oracle Instantis Enterprisetrack=17.1
Oracle Instantis Enterprisetrack=17.2
Oracle Instantis Enterprisetrack=17.3
Oracle ZFS Storage Appliance Kit=8.8
Apple iOS and macOS=10.15.7-security_update_2020-001
Apple iOS and macOS=10.15.7-security_update_2021-001
Apple iOS and macOS=10.15.7-security_update_2021-002
Apple iOS and macOS=10.15.7-security_update_2021-003
Apple iOS and macOS=10.15.7-security_update_2021-004
Apple iOS and macOS=10.15.7-security_update_2021-005
Apple iOS and macOS=10.15.7-security_update_2021-006
Apple iOS and macOS=10.15.7-security_update_2021-007
Apple iOS and macOS=10.15.7-security_update_2021-008
Apple iOS and macOS=10.15.7-security_update_2022-001
Apple iOS and macOS=10.15.7-security_update_2022-002
Apple iOS and macOS=10.15.7-security_update_2022-003
Apple macOS<10.15.7
Apple macOS>=11.0<11.6.6
Apple macOS>=12.0<12.4
redhat/httpd<2.4.52
2.4.52
Apache HTTP Server<2.4.52
Remediation
Patch Available
Patch Available
Information
Disabling mod_lua and restarting httpd will mitigate this flaw. See https://access.redhat.com/articles/10649 for more information.
Event History
Dec 20, 2021
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionWeakness
Dec 21, 2021
Data Sourced
via Red Hat·04:53 PM
DescriptionSeverityAffected Software
Frequently Asked Questions
1
What is CVE-2021-44790?
CVE-2021-44790 is a vulnerability in Apache HTTP Server that allows a carefully crafted request body to cause a buffer overflow in the mod_lua multipart parser.
2
What software is affected by CVE-2021-44790?
Apache HTTP Server 2.4.51 and earlier versions are affected by CVE-2021-44790.
3
How severe is CVE-2021-44790?
CVE-2021-44790 has a severity level of critical.
4
How can I fix CVE-2021-44790?
To fix CVE-2021-44790, update Apache HTTP Server to version 2.4.53 or later.
5
Is there an exploit for CVE-2021-44790?
The Apache httpd team is not aware of an exploit for CVE-2021-44790, but it might be possible to craft one.