Vulnerability Name:
CVE-2022-29404 (CCN-228339)
Assigned:
2022-06-07
Published:
2022-06-07
Updated:
2022-08-24
Summary:
In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.
CVSS v3 Severity:
7.5 High
(CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
)
6.5 Medium
(Temporal CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope:
Scope (S):
Unchanged
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
None
Availibility (A):
High
5.3 Medium
(CCN CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
)
4.6 Medium
(CCN Temporal CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope:
Scope (S):
Unchanged
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
None
Availibility (A):
Low
7.5 High
(REDHAT CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
)
6.5 Medium
(REDHAT Temporal CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope:
Scope (S):
Unchanged
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
None
Availibility (A):
High
CVSS v2 Severity:
5.0 Medium
(CVSS v2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Low
Authentication (Au):
None
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
None
Availibility (A):
Partial
5.0 Medium
(CCN CVSS v2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Low
Athentication (Au):
None
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
None
Availibility (A):
Partial
Vulnerability Type:
CWE-770
Vulnerability Consequences:
Denial of Service
References:
Source: MITRE
Type: CNA
CVE-2022-29404
Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20220608 CVE-2022-29404: Apache HTTP Server: Denial of service in mod_lua r:parsebody
Source: XF
Type: UNKNOWN
apache-http-cve202229404-dos(228339)
Source: CCN
Type: Apache Web site
Denial of service in mod_lua r:parsebody
Source: MISC
Type: Vendor Advisory
https://httpd.apache.org/security/vulnerabilities_24.html
Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-b54a8dee29
Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-e620fb15d5
Source: CCN
Type: oss-sec Mailing List, Wed, 08 Jun 2022 09:43:35 +0000
CVE-2022-29404: Apache HTTP Server: Denial of service in mod_lua r:parsebody
Source: GENTOO
Type: Third Party Advisory
GLSA-202208-20
Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20220624-0005/
Source: CCN
Type: IBM Security Bulletin 6595149 (HTTP Server)
Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server
Source: CCN
Type: IBM Security Bulletin 6607888 (Tivoli Monitoring)
Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server
Source: CCN
Type: IBM Security Bulletin 6610841 (Security SiteProtector System)
IBM Security SiteProtector System is affected by multiple Apache HTTP Server Vulnerabilities
Source: CCN
Type: IBM Security Bulletin 6837593 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use Mapping Assistance may be vulnerable to CVE-2022-29404, CVE-2022-30522, CVE-2022-30556 and CVE-2022-31813
Source: CCN
Type: IBM Security Bulletin 6952359 (Aspera Orchestrator)
IBM Aspera Orchestrator affected by denial of service vulnerability (CVE-2022-29404)
Vulnerable Configuration:
Configuration 1
:
cpe:/a:apache:http_server:*:*:*:*:*:*:*:*
(Version <= 2.4.53)
Configuration 2
:
cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*
OR
cpe:/o:fedoraproject:fedora:36:*:*:*:*:*:*:*
Configuration 3
:
cpe:/a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
Configuration RedHat 1
:
cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
Configuration RedHat 2
:
cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*
Configuration RedHat 3
:
cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*
Configuration RedHat 4
:
cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*
Configuration CCN 1
:
cpe:/a:apache:http_server:2.4.18:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.20:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.23:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.29:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.33:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.25:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.26:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.27:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.28:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.34:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.35:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.37:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.38:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.39:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.41:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.43:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.46:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.48:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.49:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.50:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.51:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.52:*:*:*:*:*:*:*
OR
cpe:/a:apache:http_server:2.4.53:*:*:*:*:*:*:*
AND
cpe:/a:ibm:http_server:7.0:*:*:*:*:*:*:*
OR
cpe:/a:ibm:http_server:8.0:*:*:*:*:*:*:*
OR
cpe:/a:ibm:http_server:8.5:*:*:*:*:*:*:*
OR
cpe:/a:ibm:tivoli_monitoring:6.3.0:*:*:*:*:*:*:*
OR
cpe:/a:ibm:security_siteprotector_system:3.1.1:*:*:*:*:*:*:*
OR
cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
Denotes that component is vulnerable
Oval Definitions
Definition ID
Class
Title
Last Modified
oval:org.opensuse.security:def:7434
P
apache2-2.4.51-150400.6.11.1 on GA media (Moderate)
2023-06-12
oval:com.redhat.rhsa:def:20228067
P
RHSA-2022:8067: httpd security, bug fix, and enhancement update (Moderate)
2022-11-15
oval:com.redhat.rhsa:def:20227647
P
RHSA-2022:7647: httpd:2.4 security update (Moderate)
2022-11-08
oval:org.opensuse.security:def:119249
P
Security update for apache2 (Important)
2022-07-08
oval:org.opensuse.security:def:119440
P
Security update for apache2 (Important)
2022-07-08
oval:org.opensuse.security:def:118754
P
Security update for apache2 (Important)
2022-07-08
oval:org.opensuse.security:def:119625
P
Security update for apache2 (Important)
2022-07-08
oval:org.opensuse.security:def:118944
P
Security update for apache2 (Important)
2022-07-08
oval:org.opensuse.security:def:95252
P
Security update for apache2 (Important)
2022-07-06
oval:org.opensuse.security:def:93306
P
(Important)
2022-07-06
oval:org.opensuse.security:def:94039
P
(Important)
2022-07-06
oval:org.opensuse.security:def:3740
P
Security update for apache2 (Important)
2022-07-06
oval:org.opensuse.security:def:95370
P
Security update for apache2 (Important)
2022-07-06
oval:org.opensuse.security:def:93464
P
(Important)
2022-07-06
oval:org.opensuse.security:def:94251
P
(Important)
2022-07-06
oval:org.opensuse.security:def:3763
P
Security update for apache2 (Important)
2022-07-06
oval:org.opensuse.security:def:95396
P
Security update for apache2 (Important)
2022-07-06
oval:org.opensuse.security:def:93618
P
(Important)
2022-07-06
oval:org.opensuse.security:def:554
P
Security update for apache2 (Important)
2022-07-06
oval:org.opensuse.security:def:94460
P
(Important)
2022-07-06
oval:org.opensuse.security:def:93146
P
(Important)
2022-07-06
oval:org.opensuse.security:def:93825
P
(Important)
2022-07-06
oval:org.opensuse.security:def:3622
P
Security update for apache2 (Important)
2022-07-06
oval:org.opensuse.security:def:126900
P
Security update for apache2 (Important)
2022-06-16
oval:org.opensuse.security:def:6073
P
Security update for apache2 (Important)
2022-06-16
oval:org.opensuse.security:def:127297
P
Security update for apache2 (Important)
2022-06-16
oval:org.opensuse.security:def:125734
P
Security update for apache2 (Important)
2022-06-16
oval:org.opensuse.security:def:5275
P
Security update for apache2 (Important)
2022-06-16
oval:org.opensuse.security:def:931
P
Security update for apache2 (Important) (in QA)
2022-06-14
oval:org.opensuse.security:def:1528
P
Security update for apache2 (Important) (in QA)
2022-06-14
oval:org.opensuse.security:def:1682
P
Security update for apache2 (Important) (in QA)
2022-06-14
BACK
apache
http server *
fedoraproject
fedora 35
fedoraproject
fedora 36
netapp
clustered data ontap -
apache
http server 2.4.18
apache
http server 2.4.20
apache
http server 2.4.23
apache
http server 2.4.29
apache
http server 2.4.33
apache
http server 2.4.25
apache
http server 2.4.26
apache
http server 2.4.27
apache
http server 2.4.28
apache
http server 2.4.34
apache
http server 2.4.35
apache
http server 2.4.37
apache
http server 2.4.38
apache
http server 2.4.39
apache
http server 2.4.41
apache
http server 2.4.43
apache
http server 2.4.46
apache
http server 2.4.48
apache
http server 2.4.49
apache
http server 2.4.50
apache
http server 2.4.51
apache
http server 2.4.52
apache
http server 2.4.53
ibm
http server 7.0
ibm
http server 8.0
ibm
http server 8.5
ibm
tivoli monitoring 6.3.0
ibm
security siteprotector system 3.1.1
ibm
app connect enterprise certified container 4.2
Denotes that component is vulnerable