Here a security hole, there a security hole, everywhere a security hole. One of the latest is an obnoxious one labeled CVE-2022-30522. This is a Denia

There’s a Nasty Security Hole in the Apache Webserver

submited by
Style Pass
2022-07-06 19:30:07

Here a security hole, there a security hole, everywhere a security hole. One of the latest is an obnoxious one labeled CVE-2022-30522. This is a Denial of Service (DoS) attack in the Apache HTTP Server‘s mod_sed module.

Is that ringing faint bells? If so, that’s because we’ve been here before. In March 2022, CVE-2022-23943, an Apache memory corruption vulnerability in mod_sed, was uncovered. This one was an out-of-bounds Write vulnerability that enabled attackers to overwrite heap memory. When you say, “overwrite heap memory,” you know it’s bad news. This impacted the Apache HTTP Server 2.4 version 2.4.52 and earlier versions.

It was quickly fixed. But, Brian Moussalli, the JFrog Security Research team’s Security Research Tech Lead, worried that while the Apache code “fix resolved the issue, it created a new unwanted behavior.” Moussalli was right.

It turned out that the patch opened a new mod_sed vulnerability. The good news is it only impacts Apache HTTPD 2.4.5. It’s invoked when a mod_sed filter is used for request or response editing.

Leave a Comment