CVE-2022-28614
Summary
| CVE | CVE-2022-28614 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-06-09 17:15:00 UTC |
| Updated | 2023-11-07 03:45:00 UTC |
| Description | The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue. |
Risk And Classification
Problem Types: CWE-190
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Http Server | All | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Operating System | Fedoraproject | Fedora | 36 | All | All | All |
| Application | Netapp | Clustered Data Ontap | - | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Apache HTTPD: Multiple Vulnerabilities (GLSA 202208-20) — Gentoo security | GENTOO | security.gentoo.org | |
| [SECURITY] Fedora 36 Update: httpd-2.4.54-3.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: httpd-2.4.54-3.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| oss-security - CVE-2022-28614: Apache HTTP Server: read beyond bounds via ap_rwrite() | MLIST | www.openwall.com | |
| Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project | MISC | httpd.apache.org | |
| [SECURITY] Fedora 35 Update: httpd-2.4.54-1.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| June 2022 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| [SECURITY] Fedora 35 Update: httpd-2.4.54-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue
Legacy QID Mappings
- 150539 Apache HTTP Server 2.4.53 Multiple Vulnerabilities
- 160046 Oracle Enterprise Linux Security Update for httpd (ELSA-2022-9714)
- 160250 Oracle Enterprise Linux Security Update for httpd:2.4 (ELSA-2022-7647)
- 160309 Oracle Enterprise Linux Security Update for httpd (ELSA-2022-8067)
- 180829 Debian Security Update for apache2 (CVE-2022-28614)
- 198838 Ubuntu Security Notification for Apache Hypertext Transfer Protocol (HTTP) Server Vulnerabilities (USN-5487-1)
- 240698 Red Hat Update for httpd24-httpd (RHSA-2022:6753)
- 240854 Red Hat Update for httpd:2.4 (RHSA-2022:7647)
- 240885 Red Hat Update for httpd security (RHSA-2022:8067)
- 240996 Red Hat Update for JBoss Core Services (RHSA-2022:8840)
- 282882 Fedora Security Update for httpd (FEDORA-2022-e620fb15d5)
- 282903 Fedora Security Update for httpd (FEDORA-2022-b54a8dee29)
- 296082 Oracle Solaris 11.4 Support Repository Update (SRU) 48.126.1 Missing (CPUJUL2022)
- 353971 Amazon Linux Security Advisory for httpd24 : ALAS-2022-1607
- 353988 Amazon Linux Security Advisory for httpd : ALAS2-2022-1812
- 354482 Amazon Linux Security Advisory for httpd : ALAS2022-2022-202
- 354513 Amazon Linux Security Advisory for httpd : ALAS2022-2022-110
- 354577 Amazon Linux Security Advisory for httpd : ALAS2022-2022-202
- 355264 Amazon Linux Security Advisory for httpd : ALAS2023-2023-072
- 376753 F5 BIG-IP Application Security Manager (ASM), Local Traffic Manager (LTM), Access Policy Manager (APM) Apache Hypertext Transfer Protocol (HTTP) server Vulnerability (K58003591)
- 376863 IBM Hypertext Transfer Protocol (HTTP) Server Multiple Vulnerabilities (6595149)
- 378433 Oracle Hypertext Transfer Protocol Server (HTTP Server) Server Multiple Vulnerabilities (CPUAPR2023)
- 501353 Alpine Linux Security Update for apache2
- 503857 Alpine Linux Security Update for apache2
- 672022 EulerOS Security Update for httpd (EulerOS-SA-2022-2256)
- 672041 EulerOS Security Update for httpd (EulerOS-SA-2022-2270)
- 672052 EulerOS Security Update for httpd (EulerOS-SA-2022-2222)
- 672060 EulerOS Security Update for httpd (EulerOS-SA-2022-2243)
- 672082 EulerOS Security Update for httpd (EulerOS-SA-2022-2320)
- 672128 EulerOS Security Update for httpd (EulerOS-SA-2022-2291)
- 672228 EulerOS Security Update for httpd (EulerOS-SA-2022-2614)
- 690877 Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (49adfbe5-e7d1-11ec-8fbd-d4c9ef517024)
- 710595 Gentoo Linux Apache HTTPD Multiple Vulnerabilities (GLSA 202208-20)
- 752247 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:2101-1)
- 752248 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:2099-1)
- 752307 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:2302-1)
- 752326 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:2338-1)
- 752331 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:2342-1)
- 940741 AlmaLinux Security Update for httpd:2.4 (ALSA-2022:7647)
- 940823 AlmaLinux Security Update for httpd (ALSA-2022:8067)
- 960175 Rocky Linux Security Update for httpd:2.4 (RLSA-2022:7647)
- 960481 Rocky Linux Security Update for httpd (RLSA-2022:8067)