VAR-202109-1804
Vulnerability from variot - Updated: 2026-04-10 21:46A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). The server is fast, reliable and extensible through a simple API.
Apache HTTP Server has a denial of service vulnerability in versions 2.4.30 to 2.4.48, which is caused by the network system or product not properly validating the input data. An out-of-bounds read in mod_proxy_uwsgi of httpd allows a remote unauthenticated malicious user to crash the service through a crafted request. The highest threat from this vulnerability is to system availability.
For the oldstable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u6.
For the stable distribution (bullseye), these problems have been fixed in version 2.4.51-1~deb11u1.
We recommend that you upgrade your apache2 packages.
For the detailed security status of apache2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache2
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmFgr44ACgkQEMKTtsN8 TjbophAAiZ+fhF2r8BUbQkL8BhpfqjA+hVsp9WEMTn8Gq6kiW0wLvK3jWPM301Ou D4gHqKmFPmYNC1KBOyk/lJdxyD7iTUweUyLi3WXzxhIDMx0kxkRw1oXlyCHzIqSJ M277bgk32h2cDCbsXjrN/8agKPcKgfwDqiyf/igfEq6V8OB2zVvJPKVFq45n54+q 4FPXSyx1g2u5ewSeXbU2uHDej6Qborui4osDdbwx8CT6aETi0cIXJ8RbXF3PUCHG 5DzZagnRq6GumPsl01jcPu7b9Ck8MlkxMSG3FRsSIJVkwpsQ2C34ywIJkFlzUZZh jhdVUrfbyfLpSdcPcipAAjl9I6gDqa9SFdMRK7ixCpQ6iTiVeDZdJ8pA4jnSweNQ THik07di9R0juX0p7peQiIyBKrEf7Y3WSvLOn0SBKXvZnzc/72rH2nP5FclsgCsV TWxptziGridC43KB8/tDJAAOXVF2lzylzF70V/UGTNo1jk9w3/p6btU1iuzKspyY Y4aPZla3DImI8mezrgFrGYNg7bZYLKuJyGDADKih2sUQpzmDZ6MJxKAE3NLRWyQa 7cCJdoNR9yVqytEw1Y/ZRXAXWfMb3Y1ts2EqR8hzLQgMYb0JC58cLMG3T0RgyPoO A4CTIoYpK1WnsykAE8M4XFrnOW3lrtse6T8N/dTVMuodElAEhc0= =/At6 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 security update Advisory ID: RHSA-2022:7143-01 Product: Red Hat JBoss Core Services Advisory URL: https://access.redhat.com/errata/RHSA-2022:7143 Issue date: 2022-10-26 CVE Names: CVE-2021-33193 CVE-2021-36160 CVE-2021-39275 CVE-2021-41524 CVE-2021-44224 CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990 CVE-2022-25235 CVE-2022-25236 CVE-2022-25313 CVE-2022-25314 CVE-2022-25315 ==================================================================== 1. Summary:
An update is now available for Red Hat JBoss Core Services.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat JBoss Core Services on RHEL 7 Server - noarch, x86_64 Red Hat JBoss Core Services on RHEL 8 - noarch, x86_64
- Description:
Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.
This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Service Pack 10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
-
expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235)
-
expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution (CVE-2022-25236)
-
expat: Integer overflow in storeRawNames() (CVE-2022-25315)
-
httpd: Request splitting via HTTP/2 method injection and mod_proxy (CVE-2021-33193)
-
httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path (CVE-2021-36160)
-
httpd: Out-of-bounds write in ap_escape_quotes() via malicious input (CVE-2021-39275)
-
httpd: NULL pointer dereference via crafted request during HTTP/2 request processing (CVE-2021-41524)
-
httpd: possible NULL dereference or SSRF in forward proxy configurations (CVE-2021-44224)
-
expat: Large number of prefixed XML attributes on a single tag can crash libexpat (CVE-2021-45960)
-
expat: Integer overflow in doProlog in xmlparse.c (CVE-2021-46143)
-
expat: Integer overflow in addBinding in xmlparse.c (CVE-2022-22822)
-
expat: Integer overflow in build_model in xmlparse.c (CVE-2022-22823)
-
expat: Integer overflow in defineAttribute in xmlparse.c (CVE-2022-22824)
-
expat: Integer overflow in lookup in xmlparse.c (CVE-2022-22825)
-
expat: Integer overflow in nextScaffoldPart in xmlparse.c (CVE-2022-22826)
-
expat: Integer overflow in storeAtts in xmlparse.c (CVE-2022-22827)
-
expat: Integer overflow in function XML_GetBuffer (CVE-2022-23852)
-
expat: stack exhaustion in doctype parsing (CVE-2022-25313)
-
expat: integer overflow in copyString() (CVE-2022-25314)
-
expat: integer overflow in the doProlog function (CVE-2022-23990)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
Applications using the APR libraries, such as httpd, must be restarted for this update to take effect. After installing the updated packages, the httpd daemon will be restarted automatically.
- Bugs fixed (https://bugzilla.redhat.com/):
1966728 - CVE-2021-33193 httpd: Request splitting via HTTP/2 method injection and mod_proxy 2005119 - CVE-2021-39275 httpd: Out-of-bounds write in ap_escape_quotes() via malicious input 2005124 - CVE-2021-36160 httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path 2010934 - CVE-2021-41524 httpd: NULL pointer dereference via crafted request during HTTP/2 request processing 2034672 - CVE-2021-44224 httpd: possible NULL dereference or SSRF in forward proxy configurations 2044451 - CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat 2044455 - CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c 2044457 - CVE-2022-22822 expat: Integer overflow in addBinding in xmlparse.c 2044464 - CVE-2022-22823 expat: Integer overflow in build_model in xmlparse.c 2044467 - CVE-2022-22824 expat: Integer overflow in defineAttribute in xmlparse.c 2044479 - CVE-2022-22825 expat: Integer overflow in lookup in xmlparse.c 2044484 - CVE-2022-22826 expat: Integer overflow in nextScaffoldPart in xmlparse.c 2044488 - CVE-2022-22827 expat: Integer overflow in storeAtts in xmlparse.c 2044613 - CVE-2022-23852 expat: Integer overflow in function XML_GetBuffer 2048356 - CVE-2022-23990 expat: integer overflow in the doProlog function 2056350 - CVE-2022-25313 expat: stack exhaustion in doctype parsing 2056354 - CVE-2022-25314 expat: integer overflow in copyString() 2056363 - CVE-2022-25315 expat: Integer overflow in storeRawNames() 2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution 2056370 - CVE-2022-25236 expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution
- Package List:
Red Hat JBoss Core Services on RHEL 7 Server:
Source: jbcs-httpd24-apr-1.7.0-6.el7jbcs.src.rpm jbcs-httpd24-apr-util-1.6.1-98.el7jbcs.src.rpm jbcs-httpd24-brotli-1.0.9-2.el7jbcs.src.rpm jbcs-httpd24-curl-7.83.1-6.el7jbcs.src.rpm jbcs-httpd24-httpd-2.4.51-28.el7jbcs.src.rpm jbcs-httpd24-jansson-2.14-1.el7jbcs.src.rpm jbcs-httpd24-mod_http2-1.15.19-17.el7jbcs.src.rpm jbcs-httpd24-mod_jk-1.2.48-41.redhat_1.el7jbcs.src.rpm jbcs-httpd24-mod_md-2.4.0-15.el7jbcs.src.rpm jbcs-httpd24-mod_proxy_cluster-1.3.17-9.el7jbcs.src.rpm jbcs-httpd24-mod_security-2.9.3-19.el7jbcs.src.rpm jbcs-httpd24-nghttp2-1.43.0-10.el7jbcs.src.rpm jbcs-httpd24-openssl-1.1.1k-12.el7jbcs.src.rpm jbcs-httpd24-openssl-chil-1.0.0-16.el7jbcs.src.rpm jbcs-httpd24-openssl-pkcs11-0.4.10-31.el7jbcs.src.rpm
noarch: jbcs-httpd24-httpd-manual-2.4.51-28.el7jbcs.noarch.rpm
x86_64: jbcs-httpd24-apr-1.7.0-6.el7jbcs.x86_64.rpm jbcs-httpd24-apr-debuginfo-1.7.0-6.el7jbcs.x86_64.rpm jbcs-httpd24-apr-devel-1.7.0-6.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-1.6.1-98.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-debuginfo-1.6.1-98.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-devel-1.6.1-98.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-ldap-1.6.1-98.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-mysql-1.6.1-98.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-nss-1.6.1-98.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-odbc-1.6.1-98.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-openssl-1.6.1-98.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-pgsql-1.6.1-98.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-sqlite-1.6.1-98.el7jbcs.x86_64.rpm jbcs-httpd24-brotli-1.0.9-2.el7jbcs.x86_64.rpm jbcs-httpd24-brotli-debuginfo-1.0.9-2.el7jbcs.x86_64.rpm jbcs-httpd24-brotli-devel-1.0.9-2.el7jbcs.x86_64.rpm jbcs-httpd24-curl-7.83.1-6.el7jbcs.x86_64.rpm jbcs-httpd24-curl-debuginfo-7.83.1-6.el7jbcs.x86_64.rpm jbcs-httpd24-httpd-2.4.51-28.el7jbcs.x86_64.rpm jbcs-httpd24-httpd-debuginfo-2.4.51-28.el7jbcs.x86_64.rpm jbcs-httpd24-httpd-devel-2.4.51-28.el7jbcs.x86_64.rpm jbcs-httpd24-httpd-selinux-2.4.51-28.el7jbcs.x86_64.rpm jbcs-httpd24-httpd-tools-2.4.51-28.el7jbcs.x86_64.rpm jbcs-httpd24-jansson-2.14-1.el7jbcs.x86_64.rpm jbcs-httpd24-jansson-debuginfo-2.14-1.el7jbcs.x86_64.rpm jbcs-httpd24-jansson-devel-2.14-1.el7jbcs.x86_64.rpm jbcs-httpd24-libcurl-7.83.1-6.el7jbcs.x86_64.rpm jbcs-httpd24-libcurl-devel-7.83.1-6.el7jbcs.x86_64.rpm jbcs-httpd24-mod_http2-1.15.19-17.el7jbcs.x86_64.rpm jbcs-httpd24-mod_http2-debuginfo-1.15.19-17.el7jbcs.x86_64.rpm jbcs-httpd24-mod_jk-ap24-1.2.48-41.redhat_1.el7jbcs.x86_64.rpm jbcs-httpd24-mod_jk-debuginfo-1.2.48-41.redhat_1.el7jbcs.x86_64.rpm jbcs-httpd24-mod_ldap-2.4.51-28.el7jbcs.x86_64.rpm jbcs-httpd24-mod_md-2.4.0-15.el7jbcs.x86_64.rpm jbcs-httpd24-mod_md-debuginfo-2.4.0-15.el7jbcs.x86_64.rpm jbcs-httpd24-mod_proxy_cluster-1.3.17-9.el7jbcs.x86_64.rpm jbcs-httpd24-mod_proxy_cluster-debuginfo-1.3.17-9.el7jbcs.x86_64.rpm jbcs-httpd24-mod_proxy_html-2.4.51-28.el7jbcs.x86_64.rpm jbcs-httpd24-mod_security-2.9.3-19.el7jbcs.x86_64.rpm jbcs-httpd24-mod_security-debuginfo-2.9.3-19.el7jbcs.x86_64.rpm jbcs-httpd24-mod_session-2.4.51-28.el7jbcs.x86_64.rpm jbcs-httpd24-mod_ssl-2.4.51-28.el7jbcs.x86_64.rpm jbcs-httpd24-nghttp2-1.43.0-10.el7jbcs.x86_64.rpm jbcs-httpd24-nghttp2-debuginfo-1.43.0-10.el7jbcs.x86_64.rpm jbcs-httpd24-nghttp2-devel-1.43.0-10.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-1.1.1k-12.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-chil-1.0.0-16.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-chil-debuginfo-1.0.0-16.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-debuginfo-1.1.1k-12.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-devel-1.1.1k-12.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-libs-1.1.1k-12.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-perl-1.1.1k-12.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-pkcs11-0.4.10-31.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-pkcs11-debuginfo-0.4.10-31.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-static-1.1.1k-12.el7jbcs.x86_64.rpm
Red Hat JBoss Core Services on RHEL 8:
Source: jbcs-httpd24-apr-1.7.0-6.el8jbcs.src.rpm jbcs-httpd24-apr-util-1.6.1-98.el8jbcs.src.rpm jbcs-httpd24-brotli-1.0.9-2.el8jbcs.src.rpm jbcs-httpd24-curl-7.83.1-6.el8jbcs.src.rpm jbcs-httpd24-httpd-2.4.51-28.el8jbcs.src.rpm jbcs-httpd24-jansson-2.14-1.el8jbcs.src.rpm jbcs-httpd24-mod_http2-1.15.19-17.el8jbcs.src.rpm jbcs-httpd24-mod_jk-1.2.48-41.redhat_1.el8jbcs.src.rpm jbcs-httpd24-mod_md-2.4.0-15.el8jbcs.src.rpm jbcs-httpd24-mod_proxy_cluster-1.3.17-9.el8jbcs.src.rpm jbcs-httpd24-mod_security-2.9.3-19.el8jbcs.src.rpm jbcs-httpd24-nghttp2-1.43.0-10.el8jbcs.src.rpm jbcs-httpd24-openssl-1.1.1k-12.el8jbcs.src.rpm jbcs-httpd24-openssl-chil-1.0.0-16.el8jbcs.src.rpm jbcs-httpd24-openssl-pkcs11-0.4.10-31.el8jbcs.src.rpm
noarch: jbcs-httpd24-httpd-manual-2.4.51-28.el8jbcs.noarch.rpm
x86_64: jbcs-httpd24-apr-1.7.0-6.el8jbcs.x86_64.rpm jbcs-httpd24-apr-debuginfo-1.7.0-6.el8jbcs.x86_64.rpm jbcs-httpd24-apr-devel-1.7.0-6.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-debuginfo-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-devel-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-ldap-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-ldap-debuginfo-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-mysql-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-mysql-debuginfo-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-nss-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-nss-debuginfo-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-odbc-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-odbc-debuginfo-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-openssl-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-openssl-debuginfo-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-pgsql-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-pgsql-debuginfo-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-sqlite-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-sqlite-debuginfo-1.6.1-98.el8jbcs.x86_64.rpm jbcs-httpd24-brotli-1.0.9-2.el8jbcs.x86_64.rpm jbcs-httpd24-brotli-debuginfo-1.0.9-2.el8jbcs.x86_64.rpm jbcs-httpd24-brotli-devel-1.0.9-2.el8jbcs.x86_64.rpm jbcs-httpd24-curl-7.83.1-6.el8jbcs.x86_64.rpm jbcs-httpd24-curl-debuginfo-7.83.1-6.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-2.4.51-28.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-debuginfo-2.4.51-28.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-devel-2.4.51-28.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-selinux-2.4.51-28.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-tools-2.4.51-28.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-tools-debuginfo-2.4.51-28.el8jbcs.x86_64.rpm jbcs-httpd24-jansson-2.14-1.el8jbcs.x86_64.rpm jbcs-httpd24-jansson-debuginfo-2.14-1.el8jbcs.x86_64.rpm jbcs-httpd24-jansson-devel-2.14-1.el8jbcs.x86_64.rpm jbcs-httpd24-libcurl-7.83.1-6.el8jbcs.x86_64.rpm jbcs-httpd24-libcurl-debuginfo-7.83.1-6.el8jbcs.x86_64.rpm jbcs-httpd24-libcurl-devel-7.83.1-6.el8jbcs.x86_64.rpm jbcs-httpd24-mod_http2-1.15.19-17.el8jbcs.x86_64.rpm jbcs-httpd24-mod_http2-debuginfo-1.15.19-17.el8jbcs.x86_64.rpm jbcs-httpd24-mod_jk-ap24-1.2.48-41.redhat_1.el8jbcs.x86_64.rpm jbcs-httpd24-mod_jk-ap24-debuginfo-1.2.48-41.redhat_1.el8jbcs.x86_64.rpm jbcs-httpd24-mod_ldap-2.4.51-28.el8jbcs.x86_64.rpm jbcs-httpd24-mod_ldap-debuginfo-2.4.51-28.el8jbcs.x86_64.rpm jbcs-httpd24-mod_md-2.4.0-15.el8jbcs.x86_64.rpm jbcs-httpd24-mod_md-debuginfo-2.4.0-15.el8jbcs.x86_64.rpm jbcs-httpd24-mod_proxy_cluster-1.3.17-9.el8jbcs.x86_64.rpm jbcs-httpd24-mod_proxy_cluster-debuginfo-1.3.17-9.el8jbcs.x86_64.rpm jbcs-httpd24-mod_proxy_html-2.4.51-28.el8jbcs.x86_64.rpm jbcs-httpd24-mod_proxy_html-debuginfo-2.4.51-28.el8jbcs.x86_64.rpm jbcs-httpd24-mod_security-2.9.3-19.el8jbcs.x86_64.rpm jbcs-httpd24-mod_security-debuginfo-2.9.3-19.el8jbcs.x86_64.rpm jbcs-httpd24-mod_session-2.4.51-28.el8jbcs.x86_64.rpm jbcs-httpd24-mod_session-debuginfo-2.4.51-28.el8jbcs.x86_64.rpm jbcs-httpd24-mod_ssl-2.4.51-28.el8jbcs.x86_64.rpm jbcs-httpd24-mod_ssl-debuginfo-2.4.51-28.el8jbcs.x86_64.rpm jbcs-httpd24-nghttp2-1.43.0-10.el8jbcs.x86_64.rpm jbcs-httpd24-nghttp2-debuginfo-1.43.0-10.el8jbcs.x86_64.rpm jbcs-httpd24-nghttp2-devel-1.43.0-10.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-1.1.1k-12.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-chil-1.0.0-16.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-chil-debuginfo-1.0.0-16.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-debuginfo-1.1.1k-12.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-devel-1.1.1k-12.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-libs-1.1.1k-12.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-libs-debuginfo-1.1.1k-12.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-perl-1.1.1k-12.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-pkcs11-0.4.10-31.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-pkcs11-debuginfo-0.4.10-31.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-static-1.1.1k-12.el8jbcs.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2021-33193 https://access.redhat.com/security/cve/CVE-2021-36160 https://access.redhat.com/security/cve/CVE-2021-39275 https://access.redhat.com/security/cve/CVE-2021-41524 https://access.redhat.com/security/cve/CVE-2021-44224 https://access.redhat.com/security/cve/CVE-2021-45960 https://access.redhat.com/security/cve/CVE-2021-46143 https://access.redhat.com/security/cve/CVE-2022-22822 https://access.redhat.com/security/cve/CVE-2022-22823 https://access.redhat.com/security/cve/CVE-2022-22824 https://access.redhat.com/security/cve/CVE-2022-22825 https://access.redhat.com/security/cve/CVE-2022-22826 https://access.redhat.com/security/cve/CVE-2022-22827 https://access.redhat.com/security/cve/CVE-2022-23852 https://access.redhat.com/security/cve/CVE-2022-23990 https://access.redhat.com/security/cve/CVE-2022-25235 https://access.redhat.com/security/cve/CVE-2022-25236 https://access.redhat.com/security/cve/CVE-2022-25313 https://access.redhat.com/security/cve/CVE-2022-25314 https://access.redhat.com/security/cve/CVE-2022-25315 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBY1nOZtzjgjWX9erEAQjuIxAApYL8vG/A+EEcbUqbTvVWogX49KtpAbJR V1Gv6llWWogAKT9HEE9AGansLscDYD8cyh6TNShY7lDkX7iYchzJLCs6IYDhBzls j7jSdQEgpEVUCPLdKA17rFMO5FvZSlp0pgvFjSH3r+Q1+IVhsxKSXagTbFaTqGgP JVqYMrbot+wzwkC1oHda0/Wh4UwqraveivOT/56FOXw6T0uxF0G51RuT+GSusUFe p7hwNNbE/xWONnQu29QNqMdB9IYFTEjpDV1Tn2i2wPMl1IhQVFhQUqgpjfL29KLc M+bOg6nE2NP4a6+YcYQevKwWTmq+VMLwwwCaNKsqFtK9KrDc/cy3nEDvBwQNx6gM +OjpDGXbUBvKe6qkXIXMbBuJA1hDug+wdlGlDsC6n1MR6EKFPLs3oDdmsVMyAeXv uA9lgkdwIeMpJ96JyDwQ5pCQ94NdLUPy84PlNPH3TJYshpp1di9tFe9MQ9j5lOds RMsc1OJLl06aavpMuyFLoV71+xFksTCeNZVEBlSr31kaf1wxr0hG3oCMjlFw/QcY FmY8nMirBSnrhGcOzg9zx4gfdvdf84mLmoRIAX/r1O5/RtiV13RQRp8/vo0h+4ou Btep5k5CnSag4tBSWvSzX5oaEcrCvaCU9CI/2vhmocTl5O1nsJVvWIHrbu7ygorx m+Yms1hf0io=Dgle -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202208-20
https://security.gentoo.org/
Severity: High Title: Apache HTTPD: Multiple Vulnerabilities Date: August 14, 2022 Bugs: #813429, #816399, #816864, #829722, #835131, #850622 ID: 202208-20
Synopsis
Multiple vulnerabilities have been discovered in Apache Webserver, the worst of which could result in remote code execution.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-admin/apache-tools < 2.4.54 >= 2.4.54 2 www-servers/apache < 2.4.54 >= 2.4.54
Description
Multiple vulnerabilities have been discovered in Apache HTTPD. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All Apache HTTPD users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.54"
All Apache HTTPD tools users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/apache-tools-2.4.54"
References
[ 1 ] CVE-2021-33193 https://nvd.nist.gov/vuln/detail/CVE-2021-33193 [ 2 ] CVE-2021-34798 https://nvd.nist.gov/vuln/detail/CVE-2021-34798 [ 3 ] CVE-2021-36160 https://nvd.nist.gov/vuln/detail/CVE-2021-36160 [ 4 ] CVE-2021-39275 https://nvd.nist.gov/vuln/detail/CVE-2021-39275 [ 5 ] CVE-2021-40438 https://nvd.nist.gov/vuln/detail/CVE-2021-40438 [ 6 ] CVE-2021-41524 https://nvd.nist.gov/vuln/detail/CVE-2021-41524 [ 7 ] CVE-2021-41773 https://nvd.nist.gov/vuln/detail/CVE-2021-41773 [ 8 ] CVE-2021-42013 https://nvd.nist.gov/vuln/detail/CVE-2021-42013 [ 9 ] CVE-2021-44224 https://nvd.nist.gov/vuln/detail/CVE-2021-44224 [ 10 ] CVE-2021-44790 https://nvd.nist.gov/vuln/detail/CVE-2021-44790 [ 11 ] CVE-2022-22719 https://nvd.nist.gov/vuln/detail/CVE-2022-22719 [ 12 ] CVE-2022-22720 https://nvd.nist.gov/vuln/detail/CVE-2022-22720 [ 13 ] CVE-2022-22721 https://nvd.nist.gov/vuln/detail/CVE-2022-22721 [ 14 ] CVE-2022-23943 https://nvd.nist.gov/vuln/detail/CVE-2022-23943 [ 15 ] CVE-2022-26377 https://nvd.nist.gov/vuln/detail/CVE-2022-26377 [ 16 ] CVE-2022-28614 https://nvd.nist.gov/vuln/detail/CVE-2022-28614 [ 17 ] CVE-2022-28615 https://nvd.nist.gov/vuln/detail/CVE-2022-28615 [ 18 ] CVE-2022-29404 https://nvd.nist.gov/vuln/detail/CVE-2022-29404 [ 19 ] CVE-2022-30522 https://nvd.nist.gov/vuln/detail/CVE-2022-30522 [ 20 ] CVE-2022-30556 https://nvd.nist.gov/vuln/detail/CVE-2022-30556 [ 21 ] CVE-2022-31813 https://nvd.nist.gov/vuln/detail/CVE-2022-31813
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202208-20
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5 . ========================================================================== Ubuntu Security Notice USN-5090-3 September 28, 2021
apache2 regression
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
USN-5090-1 introduced a regression in Apache HTTP Server. One of the upstream fixes introduced a regression in UDS URIs. This update fixes the problem.
Original advisory details:
James Kettle discovered that the Apache HTTP Server HTTP/2 module incorrectly handled certain crafted methods. A remote attacker could possibly use this issue to perform request splitting or cache poisoning attacks. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. (CVE-2021-34798) Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly handled certain request uri-paths. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04. If the server was configured with third-party modules, a remote attacker could use this issue to cause the server to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-39275) It was discovered that the Apache mod_proxy module incorrectly handled certain request uri-paths. A remote attacker could possibly use this issue to cause the server to forward requests to arbitrary origin servers. (CVE-2021-40438)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 21.04: apache2 2.4.46-4ubuntu1.3 apache2-bin 2.4.46-4ubuntu1.3
Ubuntu 20.04 LTS: apache2 2.4.41-4ubuntu3.6 apache2-bin 2.4.41-4ubuntu3.6
Ubuntu 18.04 LTS: apache2 2.4.29-1ubuntu4.18 apache2-bin 2.4.29-1ubuntu4.18
In general, a standard system update will make all the necessary changes
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "11.0"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"_id": null,
"model": "instantis enterprisetrack",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.1"
},
{
"_id": null,
"model": "storagegrid",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "instantis enterprisetrack",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.3"
},
{
"_id": null,
"model": "instantis enterprisetrack",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.2"
},
{
"_id": null,
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "35"
},
{
"_id": null,
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.3.0"
},
{
"_id": null,
"model": "peoplesoft enterprise peopletools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.58"
},
{
"_id": null,
"model": "clustered data ontap",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"_id": null,
"model": "http server",
"scope": "lt",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.49"
},
{
"_id": null,
"model": "communications cloud native core network function cloud native environment",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "1.10.0"
},
{
"_id": null,
"model": "zfs storage appliance kit",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.8"
},
{
"_id": null,
"model": "enterprise manager base platform",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "13.5.0.0"
},
{
"_id": null,
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"_id": null,
"model": "brocade fabric operating system",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": null
},
{
"_id": null,
"model": "cloud backup",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "http server",
"scope": "gte",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.30"
},
{
"_id": null,
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "34"
},
{
"_id": null,
"model": "enterprise manager base platform",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "13.4.0.0"
},
{
"_id": null,
"model": "http server",
"scope": "gte",
"trust": 0.6,
"vendor": "apache",
"version": "2.4.30,\u003c=2.4.48"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03205"
},
{
"db": "NVD",
"id": "CVE-2021-36160"
}
]
},
"credits": {
"_id": null,
"data": "Ubuntu",
"sources": [
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
}
],
"trust": 0.3
},
"cve": "CVE-2021-36160",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2021-36160",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-03205",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "VHN-397448",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2021-36160",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-36160",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2022-03205",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202109-1113",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-397448",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2021-36160",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03205"
},
{
"db": "VULHUB",
"id": "VHN-397448"
},
{
"db": "VULMON",
"id": "CVE-2021-36160"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1113"
},
{
"db": "NVD",
"id": "CVE-2021-36160"
}
]
},
"description": {
"_id": null,
"data": "A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). The server is fast, reliable and extensible through a simple API. \n\r\n\r\nApache HTTP Server has a denial of service vulnerability in versions 2.4.30 to 2.4.48, which is caused by the network system or product not properly validating the input data. An out-of-bounds read in mod_proxy_uwsgi of httpd allows a remote unauthenticated malicious user to crash the service through a crafted request. The highest threat from this vulnerability is to system availability. \n\nFor the oldstable distribution (buster), these problems have been fixed\nin version 2.4.38-3+deb10u6. \n\nFor the stable distribution (bullseye), these problems have been fixed in\nversion 2.4.51-1~deb11u1. \n\nWe recommend that you upgrade your apache2 packages. \n\nFor the detailed security status of apache2 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/apache2\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmFgr44ACgkQEMKTtsN8\nTjbophAAiZ+fhF2r8BUbQkL8BhpfqjA+hVsp9WEMTn8Gq6kiW0wLvK3jWPM301Ou\nD4gHqKmFPmYNC1KBOyk/lJdxyD7iTUweUyLi3WXzxhIDMx0kxkRw1oXlyCHzIqSJ\nM277bgk32h2cDCbsXjrN/8agKPcKgfwDqiyf/igfEq6V8OB2zVvJPKVFq45n54+q\n4FPXSyx1g2u5ewSeXbU2uHDej6Qborui4osDdbwx8CT6aETi0cIXJ8RbXF3PUCHG\n5DzZagnRq6GumPsl01jcPu7b9Ck8MlkxMSG3FRsSIJVkwpsQ2C34ywIJkFlzUZZh\njhdVUrfbyfLpSdcPcipAAjl9I6gDqa9SFdMRK7ixCpQ6iTiVeDZdJ8pA4jnSweNQ\nTHik07di9R0juX0p7peQiIyBKrEf7Y3WSvLOn0SBKXvZnzc/72rH2nP5FclsgCsV\nTWxptziGridC43KB8/tDJAAOXVF2lzylzF70V/UGTNo1jk9w3/p6btU1iuzKspyY\nY4aPZla3DImI8mezrgFrGYNg7bZYLKuJyGDADKih2sUQpzmDZ6MJxKAE3NLRWyQa\n7cCJdoNR9yVqytEw1Y/ZRXAXWfMb3Y1ts2EqR8hzLQgMYb0JC58cLMG3T0RgyPoO\nA4CTIoYpK1WnsykAE8M4XFrnOW3lrtse6T8N/dTVMuodElAEhc0=\n=/At6\n-----END PGP SIGNATURE-----\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 security update\nAdvisory ID: RHSA-2022:7143-01\nProduct: Red Hat JBoss Core Services\nAdvisory URL: https://access.redhat.com/errata/RHSA-2022:7143\nIssue date: 2022-10-26\nCVE Names: CVE-2021-33193 CVE-2021-36160 CVE-2021-39275\n CVE-2021-41524 CVE-2021-44224 CVE-2021-45960\n CVE-2021-46143 CVE-2022-22822 CVE-2022-22823\n CVE-2022-22824 CVE-2022-22825 CVE-2022-22826\n CVE-2022-22827 CVE-2022-23852 CVE-2022-23990\n CVE-2022-25235 CVE-2022-25236 CVE-2022-25313\n CVE-2022-25314 CVE-2022-25315\n====================================================================\n1. Summary:\n\nAn update is now available for Red Hat JBoss Core Services. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat JBoss Core Services on RHEL 7 Server - noarch, x86_64\nRed Hat JBoss Core Services on RHEL 8 - noarch, x86_64\n\n3. Description:\n\nRed Hat JBoss Core Services is a set of supplementary software for Red Hat\nJBoss middleware products. This software, such as Apache HTTP Server, is\ncommon to multiple JBoss middleware products, and is packaged under Red Hat\nJBoss Core Services to allow for faster distribution of updates, and for a\nmore consistent update experience. \n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51\nserves as a replacement for Red Hat JBoss Core Services Apache HTTP Server\n2.4.37 Service Pack 10, and includes bug fixes and enhancements, which are\ndocumented in the Release Notes document linked to in the References. \n\nSecurity Fix(es):\n\n* expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code\nexecution (CVE-2022-25235)\n\n* expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute\nvalues can lead to arbitrary code execution (CVE-2022-25236)\n\n* expat: Integer overflow in storeRawNames() (CVE-2022-25315)\n\n* httpd: Request splitting via HTTP/2 method injection and mod_proxy\n(CVE-2021-33193)\n\n* httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path\n(CVE-2021-36160)\n\n* httpd: Out-of-bounds write in ap_escape_quotes() via malicious input\n(CVE-2021-39275)\n\n* httpd: NULL pointer dereference via crafted request during HTTP/2 request\nprocessing (CVE-2021-41524)\n\n* httpd: possible NULL dereference or SSRF in forward proxy configurations\n(CVE-2021-44224)\n\n* expat: Large number of prefixed XML attributes on a single tag can crash\nlibexpat (CVE-2021-45960)\n\n* expat: Integer overflow in doProlog in xmlparse.c (CVE-2021-46143)\n\n* expat: Integer overflow in addBinding in xmlparse.c (CVE-2022-22822)\n\n* expat: Integer overflow in build_model in xmlparse.c (CVE-2022-22823)\n\n* expat: Integer overflow in defineAttribute in xmlparse.c (CVE-2022-22824)\n\n* expat: Integer overflow in lookup in xmlparse.c (CVE-2022-22825)\n\n* expat: Integer overflow in nextScaffoldPart in xmlparse.c\n(CVE-2022-22826)\n\n* expat: Integer overflow in storeAtts in xmlparse.c (CVE-2022-22827)\n\n* expat: Integer overflow in function XML_GetBuffer (CVE-2022-23852)\n\n* expat: stack exhaustion in doctype parsing (CVE-2022-25313)\n\n* expat: integer overflow in copyString() (CVE-2022-25314)\n\n* expat: integer overflow in the doProlog function (CVE-2022-23990)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nApplications using the APR libraries, such as httpd, must be restarted for\nthis update to take effect. After installing the updated packages, the\nhttpd daemon will be restarted automatically. \n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1966728 - CVE-2021-33193 httpd: Request splitting via HTTP/2 method injection and mod_proxy\n2005119 - CVE-2021-39275 httpd: Out-of-bounds write in ap_escape_quotes() via malicious input\n2005124 - CVE-2021-36160 httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path\n2010934 - CVE-2021-41524 httpd: NULL pointer dereference via crafted request during HTTP/2 request processing\n2034672 - CVE-2021-44224 httpd: possible NULL dereference or SSRF in forward proxy configurations\n2044451 - CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat\n2044455 - CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c\n2044457 - CVE-2022-22822 expat: Integer overflow in addBinding in xmlparse.c\n2044464 - CVE-2022-22823 expat: Integer overflow in build_model in xmlparse.c\n2044467 - CVE-2022-22824 expat: Integer overflow in defineAttribute in xmlparse.c\n2044479 - CVE-2022-22825 expat: Integer overflow in lookup in xmlparse.c\n2044484 - CVE-2022-22826 expat: Integer overflow in nextScaffoldPart in xmlparse.c\n2044488 - CVE-2022-22827 expat: Integer overflow in storeAtts in xmlparse.c\n2044613 - CVE-2022-23852 expat: Integer overflow in function XML_GetBuffer\n2048356 - CVE-2022-23990 expat: integer overflow in the doProlog function\n2056350 - CVE-2022-25313 expat: stack exhaustion in doctype parsing\n2056354 - CVE-2022-25314 expat: integer overflow in copyString()\n2056363 - CVE-2022-25315 expat: Integer overflow in storeRawNames()\n2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution\n2056370 - CVE-2022-25236 expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution\n\n6. Package List:\n\nRed Hat JBoss Core Services on RHEL 7 Server:\n\nSource:\njbcs-httpd24-apr-1.7.0-6.el7jbcs.src.rpm\njbcs-httpd24-apr-util-1.6.1-98.el7jbcs.src.rpm\njbcs-httpd24-brotli-1.0.9-2.el7jbcs.src.rpm\njbcs-httpd24-curl-7.83.1-6.el7jbcs.src.rpm\njbcs-httpd24-httpd-2.4.51-28.el7jbcs.src.rpm\njbcs-httpd24-jansson-2.14-1.el7jbcs.src.rpm\njbcs-httpd24-mod_http2-1.15.19-17.el7jbcs.src.rpm\njbcs-httpd24-mod_jk-1.2.48-41.redhat_1.el7jbcs.src.rpm\njbcs-httpd24-mod_md-2.4.0-15.el7jbcs.src.rpm\njbcs-httpd24-mod_proxy_cluster-1.3.17-9.el7jbcs.src.rpm\njbcs-httpd24-mod_security-2.9.3-19.el7jbcs.src.rpm\njbcs-httpd24-nghttp2-1.43.0-10.el7jbcs.src.rpm\njbcs-httpd24-openssl-1.1.1k-12.el7jbcs.src.rpm\njbcs-httpd24-openssl-chil-1.0.0-16.el7jbcs.src.rpm\njbcs-httpd24-openssl-pkcs11-0.4.10-31.el7jbcs.src.rpm\n\nnoarch:\njbcs-httpd24-httpd-manual-2.4.51-28.el7jbcs.noarch.rpm\n\nx86_64:\njbcs-httpd24-apr-1.7.0-6.el7jbcs.x86_64.rpm\njbcs-httpd24-apr-debuginfo-1.7.0-6.el7jbcs.x86_64.rpm\njbcs-httpd24-apr-devel-1.7.0-6.el7jbcs.x86_64.rpm\njbcs-httpd24-apr-util-1.6.1-98.el7jbcs.x86_64.rpm\njbcs-httpd24-apr-util-debuginfo-1.6.1-98.el7jbcs.x86_64.rpm\njbcs-httpd24-apr-util-devel-1.6.1-98.el7jbcs.x86_64.rpm\njbcs-httpd24-apr-util-ldap-1.6.1-98.el7jbcs.x86_64.rpm\njbcs-httpd24-apr-util-mysql-1.6.1-98.el7jbcs.x86_64.rpm\njbcs-httpd24-apr-util-nss-1.6.1-98.el7jbcs.x86_64.rpm\njbcs-httpd24-apr-util-odbc-1.6.1-98.el7jbcs.x86_64.rpm\njbcs-httpd24-apr-util-openssl-1.6.1-98.el7jbcs.x86_64.rpm\njbcs-httpd24-apr-util-pgsql-1.6.1-98.el7jbcs.x86_64.rpm\njbcs-httpd24-apr-util-sqlite-1.6.1-98.el7jbcs.x86_64.rpm\njbcs-httpd24-brotli-1.0.9-2.el7jbcs.x86_64.rpm\njbcs-httpd24-brotli-debuginfo-1.0.9-2.el7jbcs.x86_64.rpm\njbcs-httpd24-brotli-devel-1.0.9-2.el7jbcs.x86_64.rpm\njbcs-httpd24-curl-7.83.1-6.el7jbcs.x86_64.rpm\njbcs-httpd24-curl-debuginfo-7.83.1-6.el7jbcs.x86_64.rpm\njbcs-httpd24-httpd-2.4.51-28.el7jbcs.x86_64.rpm\njbcs-httpd24-httpd-debuginfo-2.4.51-28.el7jbcs.x86_64.rpm\njbcs-httpd24-httpd-devel-2.4.51-28.el7jbcs.x86_64.rpm\njbcs-httpd24-httpd-selinux-2.4.51-28.el7jbcs.x86_64.rpm\njbcs-httpd24-httpd-tools-2.4.51-28.el7jbcs.x86_64.rpm\njbcs-httpd24-jansson-2.14-1.el7jbcs.x86_64.rpm\njbcs-httpd24-jansson-debuginfo-2.14-1.el7jbcs.x86_64.rpm\njbcs-httpd24-jansson-devel-2.14-1.el7jbcs.x86_64.rpm\njbcs-httpd24-libcurl-7.83.1-6.el7jbcs.x86_64.rpm\njbcs-httpd24-libcurl-devel-7.83.1-6.el7jbcs.x86_64.rpm\njbcs-httpd24-mod_http2-1.15.19-17.el7jbcs.x86_64.rpm\njbcs-httpd24-mod_http2-debuginfo-1.15.19-17.el7jbcs.x86_64.rpm\njbcs-httpd24-mod_jk-ap24-1.2.48-41.redhat_1.el7jbcs.x86_64.rpm\njbcs-httpd24-mod_jk-debuginfo-1.2.48-41.redhat_1.el7jbcs.x86_64.rpm\njbcs-httpd24-mod_ldap-2.4.51-28.el7jbcs.x86_64.rpm\njbcs-httpd24-mod_md-2.4.0-15.el7jbcs.x86_64.rpm\njbcs-httpd24-mod_md-debuginfo-2.4.0-15.el7jbcs.x86_64.rpm\njbcs-httpd24-mod_proxy_cluster-1.3.17-9.el7jbcs.x86_64.rpm\njbcs-httpd24-mod_proxy_cluster-debuginfo-1.3.17-9.el7jbcs.x86_64.rpm\njbcs-httpd24-mod_proxy_html-2.4.51-28.el7jbcs.x86_64.rpm\njbcs-httpd24-mod_security-2.9.3-19.el7jbcs.x86_64.rpm\njbcs-httpd24-mod_security-debuginfo-2.9.3-19.el7jbcs.x86_64.rpm\njbcs-httpd24-mod_session-2.4.51-28.el7jbcs.x86_64.rpm\njbcs-httpd24-mod_ssl-2.4.51-28.el7jbcs.x86_64.rpm\njbcs-httpd24-nghttp2-1.43.0-10.el7jbcs.x86_64.rpm\njbcs-httpd24-nghttp2-debuginfo-1.43.0-10.el7jbcs.x86_64.rpm\njbcs-httpd24-nghttp2-devel-1.43.0-10.el7jbcs.x86_64.rpm\njbcs-httpd24-openssl-1.1.1k-12.el7jbcs.x86_64.rpm\njbcs-httpd24-openssl-chil-1.0.0-16.el7jbcs.x86_64.rpm\njbcs-httpd24-openssl-chil-debuginfo-1.0.0-16.el7jbcs.x86_64.rpm\njbcs-httpd24-openssl-debuginfo-1.1.1k-12.el7jbcs.x86_64.rpm\njbcs-httpd24-openssl-devel-1.1.1k-12.el7jbcs.x86_64.rpm\njbcs-httpd24-openssl-libs-1.1.1k-12.el7jbcs.x86_64.rpm\njbcs-httpd24-openssl-perl-1.1.1k-12.el7jbcs.x86_64.rpm\njbcs-httpd24-openssl-pkcs11-0.4.10-31.el7jbcs.x86_64.rpm\njbcs-httpd24-openssl-pkcs11-debuginfo-0.4.10-31.el7jbcs.x86_64.rpm\njbcs-httpd24-openssl-static-1.1.1k-12.el7jbcs.x86_64.rpm\n\nRed Hat JBoss Core Services on RHEL 8:\n\nSource:\njbcs-httpd24-apr-1.7.0-6.el8jbcs.src.rpm\njbcs-httpd24-apr-util-1.6.1-98.el8jbcs.src.rpm\njbcs-httpd24-brotli-1.0.9-2.el8jbcs.src.rpm\njbcs-httpd24-curl-7.83.1-6.el8jbcs.src.rpm\njbcs-httpd24-httpd-2.4.51-28.el8jbcs.src.rpm\njbcs-httpd24-jansson-2.14-1.el8jbcs.src.rpm\njbcs-httpd24-mod_http2-1.15.19-17.el8jbcs.src.rpm\njbcs-httpd24-mod_jk-1.2.48-41.redhat_1.el8jbcs.src.rpm\njbcs-httpd24-mod_md-2.4.0-15.el8jbcs.src.rpm\njbcs-httpd24-mod_proxy_cluster-1.3.17-9.el8jbcs.src.rpm\njbcs-httpd24-mod_security-2.9.3-19.el8jbcs.src.rpm\njbcs-httpd24-nghttp2-1.43.0-10.el8jbcs.src.rpm\njbcs-httpd24-openssl-1.1.1k-12.el8jbcs.src.rpm\njbcs-httpd24-openssl-chil-1.0.0-16.el8jbcs.src.rpm\njbcs-httpd24-openssl-pkcs11-0.4.10-31.el8jbcs.src.rpm\n\nnoarch:\njbcs-httpd24-httpd-manual-2.4.51-28.el8jbcs.noarch.rpm\n\nx86_64:\njbcs-httpd24-apr-1.7.0-6.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-debuginfo-1.7.0-6.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-devel-1.7.0-6.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-debuginfo-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-devel-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-ldap-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-ldap-debuginfo-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-mysql-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-mysql-debuginfo-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-nss-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-nss-debuginfo-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-odbc-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-odbc-debuginfo-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-openssl-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-openssl-debuginfo-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-pgsql-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-pgsql-debuginfo-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-sqlite-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-apr-util-sqlite-debuginfo-1.6.1-98.el8jbcs.x86_64.rpm\njbcs-httpd24-brotli-1.0.9-2.el8jbcs.x86_64.rpm\njbcs-httpd24-brotli-debuginfo-1.0.9-2.el8jbcs.x86_64.rpm\njbcs-httpd24-brotli-devel-1.0.9-2.el8jbcs.x86_64.rpm\njbcs-httpd24-curl-7.83.1-6.el8jbcs.x86_64.rpm\njbcs-httpd24-curl-debuginfo-7.83.1-6.el8jbcs.x86_64.rpm\njbcs-httpd24-httpd-2.4.51-28.el8jbcs.x86_64.rpm\njbcs-httpd24-httpd-debuginfo-2.4.51-28.el8jbcs.x86_64.rpm\njbcs-httpd24-httpd-devel-2.4.51-28.el8jbcs.x86_64.rpm\njbcs-httpd24-httpd-selinux-2.4.51-28.el8jbcs.x86_64.rpm\njbcs-httpd24-httpd-tools-2.4.51-28.el8jbcs.x86_64.rpm\njbcs-httpd24-httpd-tools-debuginfo-2.4.51-28.el8jbcs.x86_64.rpm\njbcs-httpd24-jansson-2.14-1.el8jbcs.x86_64.rpm\njbcs-httpd24-jansson-debuginfo-2.14-1.el8jbcs.x86_64.rpm\njbcs-httpd24-jansson-devel-2.14-1.el8jbcs.x86_64.rpm\njbcs-httpd24-libcurl-7.83.1-6.el8jbcs.x86_64.rpm\njbcs-httpd24-libcurl-debuginfo-7.83.1-6.el8jbcs.x86_64.rpm\njbcs-httpd24-libcurl-devel-7.83.1-6.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_http2-1.15.19-17.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_http2-debuginfo-1.15.19-17.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_jk-ap24-1.2.48-41.redhat_1.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_jk-ap24-debuginfo-1.2.48-41.redhat_1.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_ldap-2.4.51-28.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_ldap-debuginfo-2.4.51-28.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_md-2.4.0-15.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_md-debuginfo-2.4.0-15.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_proxy_cluster-1.3.17-9.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_proxy_cluster-debuginfo-1.3.17-9.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_proxy_html-2.4.51-28.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_proxy_html-debuginfo-2.4.51-28.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_security-2.9.3-19.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_security-debuginfo-2.9.3-19.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_session-2.4.51-28.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_session-debuginfo-2.4.51-28.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_ssl-2.4.51-28.el8jbcs.x86_64.rpm\njbcs-httpd24-mod_ssl-debuginfo-2.4.51-28.el8jbcs.x86_64.rpm\njbcs-httpd24-nghttp2-1.43.0-10.el8jbcs.x86_64.rpm\njbcs-httpd24-nghttp2-debuginfo-1.43.0-10.el8jbcs.x86_64.rpm\njbcs-httpd24-nghttp2-devel-1.43.0-10.el8jbcs.x86_64.rpm\njbcs-httpd24-openssl-1.1.1k-12.el8jbcs.x86_64.rpm\njbcs-httpd24-openssl-chil-1.0.0-16.el8jbcs.x86_64.rpm\njbcs-httpd24-openssl-chil-debuginfo-1.0.0-16.el8jbcs.x86_64.rpm\njbcs-httpd24-openssl-debuginfo-1.1.1k-12.el8jbcs.x86_64.rpm\njbcs-httpd24-openssl-devel-1.1.1k-12.el8jbcs.x86_64.rpm\njbcs-httpd24-openssl-libs-1.1.1k-12.el8jbcs.x86_64.rpm\njbcs-httpd24-openssl-libs-debuginfo-1.1.1k-12.el8jbcs.x86_64.rpm\njbcs-httpd24-openssl-perl-1.1.1k-12.el8jbcs.x86_64.rpm\njbcs-httpd24-openssl-pkcs11-0.4.10-31.el8jbcs.x86_64.rpm\njbcs-httpd24-openssl-pkcs11-debuginfo-0.4.10-31.el8jbcs.x86_64.rpm\njbcs-httpd24-openssl-static-1.1.1k-12.el8jbcs.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-33193\nhttps://access.redhat.com/security/cve/CVE-2021-36160\nhttps://access.redhat.com/security/cve/CVE-2021-39275\nhttps://access.redhat.com/security/cve/CVE-2021-41524\nhttps://access.redhat.com/security/cve/CVE-2021-44224\nhttps://access.redhat.com/security/cve/CVE-2021-45960\nhttps://access.redhat.com/security/cve/CVE-2021-46143\nhttps://access.redhat.com/security/cve/CVE-2022-22822\nhttps://access.redhat.com/security/cve/CVE-2022-22823\nhttps://access.redhat.com/security/cve/CVE-2022-22824\nhttps://access.redhat.com/security/cve/CVE-2022-22825\nhttps://access.redhat.com/security/cve/CVE-2022-22826\nhttps://access.redhat.com/security/cve/CVE-2022-22827\nhttps://access.redhat.com/security/cve/CVE-2022-23852\nhttps://access.redhat.com/security/cve/CVE-2022-23990\nhttps://access.redhat.com/security/cve/CVE-2022-25235\nhttps://access.redhat.com/security/cve/CVE-2022-25236\nhttps://access.redhat.com/security/cve/CVE-2022-25313\nhttps://access.redhat.com/security/cve/CVE-2022-25314\nhttps://access.redhat.com/security/cve/CVE-2022-25315\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2022 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBY1nOZtzjgjWX9erEAQjuIxAApYL8vG/A+EEcbUqbTvVWogX49KtpAbJR\nV1Gv6llWWogAKT9HEE9AGansLscDYD8cyh6TNShY7lDkX7iYchzJLCs6IYDhBzls\nj7jSdQEgpEVUCPLdKA17rFMO5FvZSlp0pgvFjSH3r+Q1+IVhsxKSXagTbFaTqGgP\nJVqYMrbot+wzwkC1oHda0/Wh4UwqraveivOT/56FOXw6T0uxF0G51RuT+GSusUFe\np7hwNNbE/xWONnQu29QNqMdB9IYFTEjpDV1Tn2i2wPMl1IhQVFhQUqgpjfL29KLc\nM+bOg6nE2NP4a6+YcYQevKwWTmq+VMLwwwCaNKsqFtK9KrDc/cy3nEDvBwQNx6gM\n+OjpDGXbUBvKe6qkXIXMbBuJA1hDug+wdlGlDsC6n1MR6EKFPLs3oDdmsVMyAeXv\nuA9lgkdwIeMpJ96JyDwQ5pCQ94NdLUPy84PlNPH3TJYshpp1di9tFe9MQ9j5lOds\nRMsc1OJLl06aavpMuyFLoV71+xFksTCeNZVEBlSr31kaf1wxr0hG3oCMjlFw/QcY\nFmY8nMirBSnrhGcOzg9zx4gfdvdf84mLmoRIAX/r1O5/RtiV13RQRp8/vo0h+4ou\nBtep5k5CnSag4tBSWvSzX5oaEcrCvaCU9CI/2vhmocTl5O1nsJVvWIHrbu7ygorx\nm+Yms1hf0io=Dgle\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202208-20\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n Title: Apache HTTPD: Multiple Vulnerabilities\n Date: August 14, 2022\n Bugs: #813429, #816399, #816864, #829722, #835131, #850622\n ID: 202208-20\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n=======\nMultiple vulnerabilities have been discovered in Apache Webserver, the\nworst of which could result in remote code execution. \n\nAffected packages\n================\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 app-admin/apache-tools \u003c 2.4.54 \u003e= 2.4.54\n 2 www-servers/apache \u003c 2.4.54 \u003e= 2.4.54\n\nDescription\n==========\nMultiple vulnerabilities have been discovered in Apache HTTPD. Please\nreview the CVE identifiers referenced below for details. \n\nImpact\n=====\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n=========\nThere is no known workaround at this time. \n\nResolution\n=========\nAll Apache HTTPD users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=www-servers/apache-2.4.54\"\n\nAll Apache HTTPD tools users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=app-admin/apache-tools-2.4.54\"\n\nReferences\n=========\n[ 1 ] CVE-2021-33193\n https://nvd.nist.gov/vuln/detail/CVE-2021-33193\n[ 2 ] CVE-2021-34798\n https://nvd.nist.gov/vuln/detail/CVE-2021-34798\n[ 3 ] CVE-2021-36160\n https://nvd.nist.gov/vuln/detail/CVE-2021-36160\n[ 4 ] CVE-2021-39275\n https://nvd.nist.gov/vuln/detail/CVE-2021-39275\n[ 5 ] CVE-2021-40438\n https://nvd.nist.gov/vuln/detail/CVE-2021-40438\n[ 6 ] CVE-2021-41524\n https://nvd.nist.gov/vuln/detail/CVE-2021-41524\n[ 7 ] CVE-2021-41773\n https://nvd.nist.gov/vuln/detail/CVE-2021-41773\n[ 8 ] CVE-2021-42013\n https://nvd.nist.gov/vuln/detail/CVE-2021-42013\n[ 9 ] CVE-2021-44224\n https://nvd.nist.gov/vuln/detail/CVE-2021-44224\n[ 10 ] CVE-2021-44790\n https://nvd.nist.gov/vuln/detail/CVE-2021-44790\n[ 11 ] CVE-2022-22719\n https://nvd.nist.gov/vuln/detail/CVE-2022-22719\n[ 12 ] CVE-2022-22720\n https://nvd.nist.gov/vuln/detail/CVE-2022-22720\n[ 13 ] CVE-2022-22721\n https://nvd.nist.gov/vuln/detail/CVE-2022-22721\n[ 14 ] CVE-2022-23943\n https://nvd.nist.gov/vuln/detail/CVE-2022-23943\n[ 15 ] CVE-2022-26377\n https://nvd.nist.gov/vuln/detail/CVE-2022-26377\n[ 16 ] CVE-2022-28614\n https://nvd.nist.gov/vuln/detail/CVE-2022-28614\n[ 17 ] CVE-2022-28615\n https://nvd.nist.gov/vuln/detail/CVE-2022-28615\n[ 18 ] CVE-2022-29404\n https://nvd.nist.gov/vuln/detail/CVE-2022-29404\n[ 19 ] CVE-2022-30522\n https://nvd.nist.gov/vuln/detail/CVE-2022-30522\n[ 20 ] CVE-2022-30556\n https://nvd.nist.gov/vuln/detail/CVE-2022-30556\n[ 21 ] CVE-2022-31813\n https://nvd.nist.gov/vuln/detail/CVE-2022-31813\n\nAvailability\n===========\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202208-20\n\nConcerns?\n========\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n======\nCopyright 2022 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. ==========================================================================\nUbuntu Security Notice USN-5090-3\nSeptember 28, 2021\n\napache2 regression\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 21.04\n- Ubuntu 20.04 LTS\n- Ubuntu 18.04 LTS\n\nSummary:\n\nUSN-5090-1 introduced a regression in Apache HTTP Server. One of the upstream\nfixes introduced a regression in UDS URIs. This update fixes the problem. \n\nOriginal advisory details:\n\n James Kettle discovered that the Apache HTTP Server HTTP/2 module\n incorrectly handled certain crafted methods. A remote attacker could\n possibly use this issue to perform request splitting or cache poisoning\n attacks. A remote attacker could possibly use this issue to\n cause the server to crash, resulting in a denial of service. \n (CVE-2021-34798)\n Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly\n handled certain request uri-paths. A remote attacker could possibly use\n this issue to cause the server to crash, resulting in a denial of service. \n This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04. If the server was configured with third-party modules, a remote\n attacker could use this issue to cause the server to crash, resulting in a\n denial of service, or possibly execute arbitrary code. (CVE-2021-39275)\n It was discovered that the Apache mod_proxy module incorrectly handled\n certain request uri-paths. A remote attacker could possibly use this issue\n to cause the server to forward requests to arbitrary origin servers. \n (CVE-2021-40438)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 21.04:\n apache2 2.4.46-4ubuntu1.3\n apache2-bin 2.4.46-4ubuntu1.3\n\nUbuntu 20.04 LTS:\n apache2 2.4.41-4ubuntu3.6\n apache2-bin 2.4.41-4ubuntu3.6\n\nUbuntu 18.04 LTS:\n apache2 2.4.29-1ubuntu4.18\n apache2-bin 2.4.29-1ubuntu4.18\n\nIn general, a standard system update will make all the necessary changes",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-36160"
},
{
"db": "CNVD",
"id": "CNVD-2022-03205"
},
{
"db": "VULHUB",
"id": "VHN-397448"
},
{
"db": "VULMON",
"id": "CVE-2021-36160"
},
{
"db": "PACKETSTORM",
"id": "169132"
},
{
"db": "PACKETSTORM",
"id": "169540"
},
{
"db": "PACKETSTORM",
"id": "169541"
},
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
}
],
"trust": 2.25
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2021-36160",
"trust": 3.1
},
{
"db": "PACKETSTORM",
"id": "168072",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "169541",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-03205",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1113",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "168565",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "167073",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "164329",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "164318",
"trust": 0.7
},
{
"db": "CS-HELP",
"id": "SB2022012041",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022051150",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021092301",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101101",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021091707",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101513",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.3",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.2",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3357",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3387",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.7",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3591",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3229",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3248",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3489",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.5",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3148",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "169540",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-397448",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-36160",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169132",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "164305",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03205"
},
{
"db": "VULHUB",
"id": "VHN-397448"
},
{
"db": "VULMON",
"id": "CVE-2021-36160"
},
{
"db": "PACKETSTORM",
"id": "169132"
},
{
"db": "PACKETSTORM",
"id": "169540"
},
{
"db": "PACKETSTORM",
"id": "169541"
},
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1113"
},
{
"db": "NVD",
"id": "CVE-2021-36160"
}
]
},
"id": "VAR-202109-1804",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03205"
},
{
"db": "VULHUB",
"id": "VHN-397448"
}
],
"trust": 1.325
},
"iot_taxonomy": {
"_id": null,
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03205"
}
]
},
"last_update_date": "2026-04-10T21:46:55.194000Z",
"patch": {
"_id": null,
"data": [
{
"title": "Patch for Apache HTTP Server Denial of Service Vulnerability (CNVD-2022-03205)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/313441"
},
{
"title": "Apache HTTP Server Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=163990"
},
{
"title": "Red Hat: Moderate: httpd:2.4 security and bug fix update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221915 - Security Advisory"
},
{
"title": "Red Hat: CVE-2021-36160",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2021-36160"
},
{
"title": "Debian Security Advisories: DSA-4982-1 apache2 -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=93a29f7ecf9a6aaba79d3b3320aa4b85"
},
{
"title": "Red Hat: Moderate: httpd24-httpd security and bug fix update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226753 - Security Advisory"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2021-36160 log"
},
{
"title": "Amazon Linux AMI: ALAS-2021-1543",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2021-1543"
},
{
"title": "Cisco: Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts\u0026qid=cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"title": "Amazon Linux 2: ALAS2-2021-1716",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2021-1716"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/PierreChrd/py-projet-tut "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03205"
},
{
"db": "VULMON",
"id": "CVE-2021-36160"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1113"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-125",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397448"
},
{
"db": "NVD",
"id": "CVE-2021-36160"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 1.9,
"url": "https://security.gentoo.org/glsa/202208-20"
},
{
"trust": 1.8,
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"trust": 1.8,
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"trust": 1.8,
"url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00016.html"
},
{
"trust": 1.8,
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00016.html"
},
{
"trust": 1.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-36160"
},
{
"trust": 1.2,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-apache-httpd-2.4.49-vwl69swq"
},
{
"trust": 1.2,
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"trust": 1.2,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-apache-"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3cbugs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/ra87a69d0703d09dc52b86e32b08f8d7327af10acdd5f577a4e82596a%40%3cbugs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/zncysr3bxt36fff4xtcpl3hdqk4vp45r/"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2904a17ded21a70%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r94a61a1517133a19dcf40016e87454ea86e355d06a0cec4c778530f3%40%3cbugs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rb2341c8786d0f9924f5b666e82d8d170b4804f50a523d750551bef1a%40%3cbugs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r73260f6ba9fb52e43d860905fc90462ba5a814afda2d011f32bbd41c%40%3cbugs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaff57253fef341d%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/spbr6wuybjnachke65spl7tjohx7rhwd/"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/ra1c05a392587bfe34383dffe1213edc425de8d4afc25b7cefab3e781%40%3cbugs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r7f2746e916ed370239bc1a1025e5ebbf345f79df9ea0ea39e44acfbb%40%3cbugs.httpd.apache.org%3e"
},
{
"trust": 0.9,
"url": "https://access.redhat.com/security/cve/cve-2021-36160"
},
{
"trust": 0.8,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/spbr6wuybjnachke65spl7tjohx7rhwd/"
},
{
"trust": 0.8,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/zncysr3bxt36fff4xtcpl3hdqk4vp45r/"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-39275"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33193"
},
{
"trust": 0.6,
"url": "httpd.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r73260f6ba9fb52e43d860905fc90462ba5a814afda2d011f32bbd41c@%3cbugs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r7f2746e916ed370239bc1a1025e5ebbf345f79df9ea0ea39e44acfbb@%3cbugs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r94a61a1517133a19dcf40016e87454ea86e355d06a0cec4c778530f3@%3cbugs."
},
{
"trust": 0.6,
"url": "httpd.apache.org/security/vulnerabilities_24.html"
},
{
"trust": 0.6,
"url": "http://"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37@%3cbugs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3cusers."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/ra1c05a392587bfe34383dffe1213edc425de8d4afc25b7cefab3e781@%3cbugs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2904a17ded21a70@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/ra87a69d0703d09dc52b86e32b08f8d7327af10acdd5f577a4e82596a@%3cbugs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3cusers."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rb2341c8786d0f9924f5b666e82d8d170b4804f50a523d750551bef1a@%3cbugs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3cusers."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaff57253fef341d@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3cusers."
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3229"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101513"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/169541/red-hat-security-advisory-2022-7143-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3357"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3591"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/168072/gentoo-linux-security-advisory-202208-20.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.7"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164318/ubuntu-security-notice-usn-5090-3.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/168565/red-hat-security-advisory-2022-6753-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.3"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.2"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.5"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021092301"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3387"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164329/ubuntu-security-notice-usn-5090-4.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3248"
},
{
"trust": 0.6,
"url": "httpd-2.4.49-vwl69swq"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022051150"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3148"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3489"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022012041"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021091707"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101101"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/apache-http-server-four-vulnerabilities-36444"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/167073/red-hat-security-advisory-2022-1915-01.html"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-40438"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-34798"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-44224"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-41524"
},
{
"trust": 0.3,
"url": "https://ubuntu.com/security/notices/usn-5090-1"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/r73260f6ba9fb52e43d860905fc90462ba5a814afda2d011f32bbd41c@%3cbugs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/ra1c05a392587bfe34383dffe1213edc425de8d4afc25b7cefab3e781@%3cbugs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/r7f2746e916ed370239bc1a1025e5ebbf345f79df9ea0ea39e44acfbb@%3cbugs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37@%3cbugs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/r94a61a1517133a19dcf40016e87454ea86e355d06a0cec4c778530f3@%3cbugs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/ra87a69d0703d09dc52b86e32b08f8d7327af10acdd5f577a4e82596a@%3cbugs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/rb2341c8786d0f9924f5b666e82d8d170b4804f50a523d750551bef1a@%3cbugs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2904a17ded21a70@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaff57253fef341d@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-45960"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-33193"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-25313"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22823"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-22822"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-22824"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22824"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-22826"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-22827"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22822"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-45960"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-41524"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22827"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22826"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-23990"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-46143"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-25315"
},
{
"trust": 0.2,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-25314"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-44224"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-22823"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22825"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-25236"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-25235"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23852"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-23852"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-22825"
},
{
"trust": 0.2,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-46143"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-39275"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:1915"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/apache2"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:7144"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:7143"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22721"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-28614"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-31813"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-29404"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-44790"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-28615"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-30522"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-41773"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22719"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-30556"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-42013"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23943"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22720"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26377"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.17"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.5"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.46-4ubuntu1.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/bugs/xxxxxx"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-5090-4"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-5090-3"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.6"
},
{
"trust": 0.1,
"url": "https://launchpad.net/bugs/1945311"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.18"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.46-4ubuntu1.3"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397448"
},
{
"db": "VULMON",
"id": "CVE-2021-36160"
},
{
"db": "PACKETSTORM",
"id": "169132"
},
{
"db": "PACKETSTORM",
"id": "169540"
},
{
"db": "PACKETSTORM",
"id": "169541"
},
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1113"
},
{
"db": "NVD",
"id": "CVE-2021-36160"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-03205",
"ident": null
},
{
"db": "VULHUB",
"id": "VHN-397448",
"ident": null
},
{
"db": "VULMON",
"id": "CVE-2021-36160",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "169132",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "169540",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "169541",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "168072",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "164305",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "164329",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "164318",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1113",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2021-36160",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2022-01-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-03205",
"ident": null
},
{
"date": "2021-09-16T00:00:00",
"db": "VULHUB",
"id": "VHN-397448",
"ident": null
},
{
"date": "2021-09-16T00:00:00",
"db": "VULMON",
"id": "CVE-2021-36160",
"ident": null
},
{
"date": "2021-10-28T19:12:00",
"db": "PACKETSTORM",
"id": "169132",
"ident": null
},
{
"date": "2022-10-27T13:05:19",
"db": "PACKETSTORM",
"id": "169540",
"ident": null
},
{
"date": "2022-10-27T13:05:26",
"db": "PACKETSTORM",
"id": "169541",
"ident": null
},
{
"date": "2022-08-15T16:02:48",
"db": "PACKETSTORM",
"id": "168072",
"ident": null
},
{
"date": "2021-09-28T15:06:35",
"db": "PACKETSTORM",
"id": "164305",
"ident": null
},
{
"date": "2021-09-29T14:50:01",
"db": "PACKETSTORM",
"id": "164329",
"ident": null
},
{
"date": "2021-09-28T15:23:06",
"db": "PACKETSTORM",
"id": "164318",
"ident": null
},
{
"date": "2021-09-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202109-1113",
"ident": null
},
{
"date": "2021-09-16T15:15:07.330000",
"db": "NVD",
"id": "CVE-2021-36160",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2022-01-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-03205",
"ident": null
},
{
"date": "2022-10-18T00:00:00",
"db": "VULHUB",
"id": "VHN-397448",
"ident": null
},
{
"date": "2022-08-15T00:00:00",
"db": "VULMON",
"id": "CVE-2021-36160",
"ident": null
},
{
"date": "2022-10-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202109-1113",
"ident": null
},
{
"date": "2025-05-01T15:40:05.120000",
"db": "NVD",
"id": "CVE-2021-36160",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1113"
}
],
"trust": 1.0
},
"title": {
"_id": null,
"data": "Apache HTTP Server Denial of Service Vulnerability (CNVD-2022-03205)",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03205"
}
],
"trust": 0.6
},
"type": {
"_id": null,
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202109-1113"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.