CVE-2022-22720: httpd: Errors encountered during the discarding of request body lead to HTTP request smuggling

Bug #1969363 reported by Ghada Khalil
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Joe Slater

Bug Description

CVE-2022-22720: httpd: Errors encountered during the discarding of request body lead to HTTP request smuggling

Score:
cve_id status cvss2Score av ac au ai
CVE-2022-22720 fixed 7.5 N L N P

Description:
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-22720
https://access.redhat.com/security/cve/CVE-2022-22720
https://bugzilla.redhat.com/show_bug.cgi?id=2064321
https://access.redhat.com/errata/RHSA-2022:1045
https://lists.centos.org/pipermail/centos-announce/2022-March/073576.html

Found during April 2022 CVE scan using vulscan

Revision history for this message
Ghada Khalil (gkhalil) wrote :

Screening: Marking as medium priority as this CVE meets the StarlingX fix criteria. Should be fixed in stx master and considered for cherry-pick to stx.6.0 if a maintenance release is planned

tags: added: stx.6.0 stx.7.0 stx.security
Changed in starlingx:
importance: Undecided → Medium
status: New → Triaged
assignee: nobody → Yue Tao (wrytao)
information type: Public → Public Security
Revision history for this message
Ghada Khalil (gkhalil) wrote :

Assigning to Joe Slater as he will fix this CVE along with the other httpd CVEs reported in https://bugs.launchpad.net/starlingx/+bug/1960765

Changed in starlingx:
assignee: Yue Tao (wrytao) → Joe Slater (jslater0wind)
Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/838407
Committed: https://opendev.org/starlingx/tools/commit/a56902554f6069b61e9f19d404b6faa7dec6eb50
Submitter: "Zuul (22348)"
Branch: master

commit a56902554f6069b61e9f19d404b6faa7dec6eb50
Author: Joe Slater <email address hidden>
Date: Mon Apr 18 17:59:11 2022 -0400

    httpd: fix four CVEs

    NOTE! commit fc00096e8... purports to fix the first 3 CVEs
           but uses the wrong rpm version.

    CVE-2021-26691: heap overflow
    CVE-2021-39275: out-of-bounds write
    CVE-2021-44790: buffer overflow
    CVE-2022-22720: http request smuggling

    Advance to version 2.4.6-97.el7.centos.5.

    === testing
    boot iso and log in; become root; httpd is not running

     systemctl stop lighttpd # free up port 80
     systemctl start httpd # takes a while
     echo arf > /var/www/html/arf.txt # something to fetch
     wget http://localhost/arf.txt
     cat arf.txt

    This shows httpd is processing requests.
    ===

    Closes-bug: 1960765
    Closes-bug: 1969363
    Change-Id: I4c90213f020762f037e1f207f73e0622a38984c2
    Signed-off-by: Joe Slater <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.