QID 355264

Date Published: 2023-05-29

QID 355264: Amazon Linux Security Advisory for httpd : ALAS2023-2023-072

theres a null pointer dereference and server-side request forgery flaw in httpds mod_proxy module, when it is configured to be used as a forward proxy.
A crafted packet could be sent on the adjacent network to the forward proxy that could cause a crash, or potentially ssrf via misdirected unix domain socket requests.
In the worst case, this could cause a denial of service or compromise to confidentiality of data. (
( CVE-2021-44224) a buffer overflow flaw in httpds lua module could allow an out-of-bounds write.
An attacker who is able to submit a crafted request to an httpd instance that is using the lua module may be able to cause an impact to confidentiality, integrity, and/or availability. (
( CVE-2021-44790) a flaw was found in the mod_lua module of httpd.
A crafted request body can cause a read to a random memory area due to an uninitialized value in functions called by the parsebody function.
The highest treat of this vulnerability is availability. (
( CVE-2022-22719) a flaw was found in httpd.
The inbound connection is not closed when it fails to discard the request body, which may expose the server to http request smuggling. (
( CVE-2022-22720) a flaw was found in httpd, where it incorrectly limits the value of the limitxmlrequestbody option.
This issue can lead to an integer overflow and later causes an out-of-bounds write. (
( CVE-2022-22721) an out-of-bounds read/write vulnerability was found in the mod_sed module of httpd.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.

  • CVSS V3 rated as Critical - 9.8 severity.
  • CVSS V2 rated as High - 7.5 severity.
  • Solution
    Please refer to Amazon advisory: ALAS2023-2023-072 for affected packages and patching details, or update with your package manager.
    Vendor References
    Software Advisories
    Advisory ID Software Component Link
    ALAS2023-2023-072 amazon linux 2023 URL Logo alas.aws.amazon.com/AL2023/ALAS-2023-072.html