CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier
Published Mar 14, 2022
·Updated
A flaw was found in httpd. The inbound connection is not closed when it fails to discard the request body, which may expose the server to HTTP request smuggling.
Credit
CVE-2021-44224, CVE-2021-44790, CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, Lockheed Martin Red Team, an anonymous researcher, Jeremy Brown(Trend Micro Zero Day Initiative), Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Qi Sun(Trend Micro), Ye Zhang@@co0py_Cat(Baidu Security), Robert Ai(Trend Micro), Arsenii Kostromin (0x3c3e), Yonghwi Jin@@jinmo123(Theori), Linus Henze(Pinauten GmbH), Liu Long(Ant Security Light), Jack Dates(RET2 Systems Inc), Antonio Zekic@@antoniozekic, Jeonghoon Shin(Theori working with Trend Micro Zero Day Initiative), Peter Nguyễn Vũ Hoàng@@peternguyen14(STAR Labs), Ned Williamson(Google Project Zero), @@gorelics(BreakPoint), (BreakPoint), Ron Masas(BreakPoint), Wojciech Reguła@@_r3ggi(SecuRing), Arsenii Kostromin (0x3c3e)(Microsoft), Jonathan Bar Or(Microsoft), Zhipeng Huo@@R3dF09(Tencent Security Xuanwu Lab), Yuebin Sun@@yuebinsun2020(Tencent Security Xuanwu Lab), Max Shavrick@@_mxms(the Google Security Team), Zubair Ashraf(Crowdstrike), CVE-2022-0778, CVE-2022-23308, Mickey Jin@@patch1t, @@gorelics, Peter Nguyễn Vũ Hoàng(STAR Labs), Felix Poulin-Belanger, Antonio Cheong Yu Xuan(YCISCQ), CVE-2021-4136, CVE-2021-4166, CVE-2021-4173, CVE-2021-4187, CVE-2021-4192, CVE-2021-4193, CVE-2021-46059, CVE-2022-0128, Heige(KnownSec 404 Team), Bo Qu(Palo Alto Networks), Scarlet Raine, Wang Yu(Cyberserval), CVE-2022-0530, Tavis Ormandy, CVE-2021-45444, ABC Research s.r.o, Jon Thompson(Evolve), IA), actae0n(Blacksun Hackers Club working with Trend Micro Zero Day Initiative), Andrew Williams(Google), Avi Drissman(Google), chenyuwang@@mzzzz__(Tencent Security Xuanwu Lab), Jordy Zomer@@pwningsystems, Paul Walker(Bury), Nathaniel Ekoniak(Ennate Technologies), Gergely Kalman@@gergely_kalman(Mandiant), (Mandiant), Joshua Mason(Mandiant), Ron Waisberg(SecuRing), an anonymous researcher(SecuRing), (Perception Point), Ron Hass@@ronhass7(Perception Point), ryuzaki, Chijin Zhou(ShuiMuYuLin Ltd), Tsinghua wingtecher lab, Jeonghoon Shin(Theori), SorryMybad@@S0rryMybad(Kunlun Lab), Dongzhuo Zhao(ADLab of Venustech)
Affected Software
49 affected componentsFixes available
redhat/jbcs-httpd24-apr-util<0:1.6.1-91.el8
0:1.6.1-91.el8
redhat/jbcs-httpd24-curl<0:7.78.0-3.el8
0:7.78.0-3.el8
redhat/jbcs-httpd24-httpd<0:2.4.37-80.el8
0:2.4.37-80.el8
redhat/jbcs-httpd24-nghttp2<0:1.39.2-41.el8
0:1.39.2-41.el8
redhat/jbcs-httpd24-openssl<1:1.1.1g-11.el8
1:1.1.1g-11.el8
redhat/jbcs-httpd24-openssl-chil<0:1.0.0-11.el8
0:1.0.0-11.el8
redhat/jbcs-httpd24-openssl-pkcs11<0:0.4.10-26.el8
0:0.4.10-26.el8
redhat/jbcs-httpd24-apr-util<0:1.6.1-91.jbcs.el7
0:1.6.1-91.jbcs.el7
redhat/jbcs-httpd24-curl<0:7.78.0-3.jbcs.el7
0:7.78.0-3.jbcs.el7
redhat/jbcs-httpd24-httpd<0:2.4.37-80.jbcs.el7
0:2.4.37-80.jbcs.el7
redhat/jbcs-httpd24-nghttp2<0:1.39.2-41.jbcs.el7
0:1.39.2-41.jbcs.el7
redhat/jbcs-httpd24-openssl<1:1.1.1g-11.jbcs.el7
1:1.1.1g-11.jbcs.el7
redhat/jbcs-httpd24-openssl-chil<0:1.0.0-11.jbcs.el7
0:1.0.0-11.jbcs.el7
redhat/jbcs-httpd24-openssl-pkcs11<0:0.4.10-26.jbcs.el7
0:0.4.10-26.jbcs.el7
redhat/httpd<0:2.2.15-70.el6_10
0:2.2.15-70.el6_10
redhat/httpd<0:2.4.6-97.el7_9.5
0:2.4.6-97.el7_9.5
redhat/httpd<0:2.4.6-45.el7_3.8
0:2.4.6-45.el7_3.8
redhat/httpd<0:2.4.6-67.el7_4.9
0:2.4.6-67.el7_4.9
redhat/httpd<0:2.4.6-89.el7_6.4
0:2.4.6-89.el7_6.4
redhat/httpd<0:2.4.6-90.el7_7.3
0:2.4.6-90.el7_7.3
redhat/httpd24-httpd<0:2.4.34-23.el7.2
0:2.4.34-23.el7.2
redhat/httpd<2.4.53
2.4.53
Apple macOS Big Sur<11.6.6
11.6.6
Apple Catalina
Apple macOS Monterey<12.4
12.4
Apache HTTP Server<=2.4.52
Fedoraproject Fedora=34
Fedoraproject Fedora=35
Fedoraproject Fedora=36
Debian Debian Linux=9.0
Oracle Enterprise Manager Ops Center=12.4.0.0
Oracle HTTP Server=12.2.1.3.0
Oracle HTTP Server=12.2.1.4.0
Oracle ZFS Storage Appliance Kit=8.8
Apple iOS and macOS=10.15.7-security_update_2020-001
Apple iOS and macOS=10.15.7-security_update_2021-001
Apple iOS and macOS=10.15.7-security_update_2021-002
Apple iOS and macOS=10.15.7-security_update_2021-003
Apple iOS and macOS=10.15.7-security_update_2021-004
Apple iOS and macOS=10.15.7-security_update_2021-005
Apple iOS and macOS=10.15.7-security_update_2021-006
Apple iOS and macOS=10.15.7-security_update_2021-007
Apple iOS and macOS=10.15.7-security_update_2021-008
Apple iOS and macOS=10.15.7-security_update_2022-001
Apple iOS and macOS=10.15.7-security_update_2022-002
Apple iOS and macOS=10.15.7-security_update_2022-003
Apple macOS<10.15.7
Apple macOS>=11.0<11.6.6
Apple macOS>=12.0<=12.4
Remediation
Patch Available
Information
There are currently no known mitigations for this issue.
Event History
Mar 14, 2022
CVE Published
12:00 AM
CVE Published
via MITRE·10:15 AM
Data Sourced
via MITRE·10:15 AM
DescriptionWeakness
Mar 15, 2022
Data Sourced
via Red Hat·02:34 PM
DescriptionSeverityAffected Software
Frequently Asked Questions
1
What is the vulnerability ID of this issue?
The vulnerability ID is CVE-2022-22720.
2
What is the severity of CVE-2022-22720?
The severity of CVE-2022-22720 is high with a score of 8.3.
3
What is the affected software?
The affected software includes Apache HTTP Server versions 2.4.52 and earlier.
4
How can I fix CVE-2022-22720?
To fix CVE-2022-22720, update Apache HTTP Server to version 2.4.53.
5
Where can I find more information about CVE-2022-22720?
More information about CVE-2022-22720 can be found in the references: [Reference 1](https://support.apple.com/en-us/HT213257), [Reference 2](https://support.apple.com/en-us/HT213255), [Reference 3](https://support.apple.com/en-us/HT213256).