Taiwan-based NAS maker, QNAP asked users to apply mitigations to prevent attempts to exploit Apache HTTP Server security vulnerabilities. Two vulnerabilities, tracked as CVE-2022-22721 and CVE-2022-23943, have a CVSS score of 9.8 and impacts systems running Apache HTTPS Server or earlier.
Fixed in Apache HTTP Server 2.4.53
The Apache Software Foundation and the Apache HTTP Server Project announced multiple vulnerabilities that have been fixed in their latest release of Apache HTTP Server 2.4.53:
- CVE-2022-22719: moderate: mod_lua: Use of uninitialized value of in r:parsebody
- CVE-2022-22720: important: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier
- CVE-2022-22721: low: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody
- CVE-2022-23943: important: mod_sed: Read/write beyond bounds
While CVE-2022-22719 and CVE-2022-22720 do not affect QNAP products, CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod_sed in Apache HTTP Server on their QNAP device. QNAP also stated that they are investigating the vulnerabilities that affect QNAP products and will release the security updates. For the mitigations:
- To mitigate CVE-2022-22721, we recommend keeping the default value “1M” for LimitXMLRequestBody.
- To mitigate CVE-2022-23943, disable mod_sed. (Note: In QTS, mod_sed is disabled by default in Apache HTTP Server.)