CVE-2022-22721: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody
Published Mar 14, 2022
·Updated
A flaw was found in httpd, where it incorrectly limits the value of the LimitXMLRequestBody option. This issue can lead to an integer overflow and later causes an out-of-bounds write.
Credit
CVE-2021-44224, CVE-2021-44790, CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, Lockheed Martin Red Team, an anonymous researcher, Jeremy Brown(Trend Micro Zero Day Initiative), Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Qi Sun(Trend Micro), Ye Zhang@@co0py_Cat(Baidu Security), Robert Ai(Trend Micro), Arsenii Kostromin (0x3c3e), Yonghwi Jin@@jinmo123(Theori), Linus Henze(Pinauten GmbH), Liu Long(Ant Security Light), Jack Dates(RET2 Systems Inc), Antonio Zekic@@antoniozekic, Jeonghoon Shin(Theori working with Trend Micro Zero Day Initiative), Peter Nguyễn Vũ Hoàng@@peternguyen14(STAR Labs), Ned Williamson(Google Project Zero), @@gorelics(BreakPoint), (BreakPoint), Ron Masas(BreakPoint), Wojciech Reguła@@_r3ggi(SecuRing), Arsenii Kostromin (0x3c3e)(Microsoft), Jonathan Bar Or(Microsoft), Zhipeng Huo@@R3dF09(Tencent Security Xuanwu Lab), Yuebin Sun@@yuebinsun2020(Tencent Security Xuanwu Lab), Max Shavrick@@_mxms(the Google Security Team), Zubair Ashraf(Crowdstrike), CVE-2022-0778, CVE-2022-23308, Mickey Jin@@patch1t, @@gorelics, Peter Nguyễn Vũ Hoàng(STAR Labs), Felix Poulin-Belanger, Antonio Cheong Yu Xuan(YCISCQ), CVE-2021-4136, CVE-2021-4166, CVE-2021-4173, CVE-2021-4187, CVE-2021-4192, CVE-2021-4193, CVE-2021-46059, CVE-2022-0128, Heige(KnownSec 404 Team), Bo Qu(Palo Alto Networks), Scarlet Raine, Wang Yu(Cyberserval), CVE-2022-0530, Tavis Ormandy, CVE-2021-45444, ABC Research s.r.o, Jon Thompson(Evolve), IA), actae0n(Blacksun Hackers Club working with Trend Micro Zero Day Initiative), Andrew Williams(Google), Avi Drissman(Google), chenyuwang@@mzzzz__(Tencent Security Xuanwu Lab), Jordy Zomer@@pwningsystems, Paul Walker(Bury), Nathaniel Ekoniak(Ennate Technologies), Gergely Kalman@@gergely_kalman(Mandiant), (Mandiant), Joshua Mason(Mandiant), Ron Waisberg(SecuRing), an anonymous researcher(SecuRing), (Perception Point), Ron Hass@@ronhass7(Perception Point), ryuzaki, Chijin Zhou(ShuiMuYuLin Ltd), Tsinghua wingtecher lab, Jeonghoon Shin(Theori), SorryMybad@@S0rryMybad(Kunlun Lab), Dongzhuo Zhao(ADLab of Venustech)
Affected Software
32 affected componentsFixes available
redhat/jbcs-httpd24-httpd<0:2.4.51-37.el8
0:2.4.51-37.el8
redhat/jbcs-httpd24-httpd<0:2.4.51-37.el7
0:2.4.51-37.el7
redhat/httpd<0:2.4.53-7.el9
0:2.4.53-7.el9
redhat/httpd24-httpd<0:2.4.34-23.el7.5
0:2.4.34-23.el7.5
redhat/httpd<2.4.53
2.4.53
Apple macOS Big Sur<11.6.6
11.6.6
Apple Catalina
Apple macOS Monterey<12.4
12.4
Apache HTTP Server<=2.4.52
Fedoraproject Fedora=34
Fedoraproject Fedora=35
Fedoraproject Fedora=36
Debian Debian Linux=9.0
Oracle Enterprise Manager Ops Center=12.4.0.0
Oracle HTTP Server=12.2.1.3.0
Oracle HTTP Server=12.2.1.4.0
Oracle ZFS Storage Appliance Kit=8.8
Apple iOS and macOS>=10.15<10.15.7
Apple iOS and macOS=10.15.7-security_update_2020-001
Apple iOS and macOS=10.15.7-security_update_2021-001
Apple iOS and macOS=10.15.7-security_update_2021-002
Apple iOS and macOS=10.15.7-security_update_2021-003
Apple iOS and macOS=10.15.7-security_update_2021-004
Apple iOS and macOS=10.15.7-security_update_2021-005
Apple iOS and macOS=10.15.7-security_update_2021-006
Apple iOS and macOS=10.15.7-security_update_2021-007
Apple iOS and macOS=10.15.7-security_update_2021-008
Apple iOS and macOS=10.15.7-security_update_2022-001
Apple iOS and macOS=10.15.7-security_update_2022-002
Apple iOS and macOS=10.15.7-security_update_2022-003
Apple macOS>=11.0<11.6.6
Apple macOS>=12.0<12.4
Remediation
Patch Available
Information
Set the LimitXMLRequestBody option to a value smaller than 350MB. Setting it to 0 is not recommended as it will use a hard limit (depending on 32bit or 64bit systems) which may result in an overall system out-of-memory. The default configuration is not vulnerable to this flaw, see the statement above.
Event History
Mar 14, 2022
CVE Published
12:00 AM
CVE Published
via MITRE·10:15 AM
Data Sourced
via MITRE·10:15 AM
DescriptionWeakness
Mar 15, 2022
Data Sourced
via Red Hat·02:34 PM
DescriptionSeverityAffected Software
Frequently Asked Questions
1
What is CVE-2022-22721?
CVE-2022-22721 is a vulnerability in Apache HTTP Server where an integer overflow occurs when LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32-bit systems, which can lead to out-of-bounds writes.
2
How does CVE-2022-22721 affect Apache HTTP Server?
CVE-2022-22721 affects Apache HTTP Server version 2.4.52 and earlier.
3
What is the severity of CVE-2022-22721?
CVE-2022-22721 has a severity rating of high (7).
4
How can I fix CVE-2022-22721?
To fix CVE-2022-22721, update Apache HTTP Server to version 2.4.53 or later.
5
Where can I find more information about CVE-2022-22721?
You can find more information about CVE-2022-22721 at the following references: [Link 1](https://support.apple.com/en-us/HT213257), [Link 2](https://support.apple.com/en-us/HT213255), [Link 3](https://support.apple.com/en-us/HT213256).