Lucene search

K
oraclelinuxOracleLinuxELSA-2022-7647
HistoryNov 15, 2022 - 12:00 a.m.

httpd:2.4 security update

2022-11-1500:00:00
linux.oracle.com
30

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.348 Low

EPSS

Percentile

97.1%

httpd
[2.4.37-51.0.1]

  • Set vstring per ORACLE_SUPPORT_PRODUCT [Orabug: 29892262]
  • Replace index.html with Oracles index page oracle_index.html
    [2.4.37-51]
  • Resolves: #2097015 - CVE-2022-28614 httpd:2.4/httpd: out-of-bounds read via
    ap_rwrite()
  • Resolves: #2097031 - CVE-2022-28615 httpd:2.4/httpd: out-of-bounds read in
    ap_strcmp_match()
  • Resolves: #2097458 - CVE-2022-30522 httpd:2.4/httpd: mod_sed: DoS
    vulnerability
  • Resolves: #2097480 - CVE-2022-30556 httpd:2.4/httpd: mod_lua: Information
    disclosure with websockets
  • Resolves: #2098247 - CVE-2022-31813 httpd:2.4/httpd: mod_proxy:
    X-Forwarded-For dropped by hop-by-hop mechanism
  • Resolves: #2097451 - CVE-2022-29404 httpd:2.4/httpd: mod_lua: DoS in
    r:parsebody
  • Resolves: #2096997 - CVE-2022-26377 httpd:2.4/httpd: mod_proxy_ajp: Possible
    request smuggling
    [2.4.37-50]
  • Resolves: #2065237 - CVE-2022-22719 httpd:2.4/httpd: mod_lua: Use of
    uninitialized value of in r:parsebody
  • Resolves: #2065267 - CVE-2022-22721 httpd:2.4/httpd: core: Possible buffer
    overflow with very large or unlimited LimitXMLRequestBody
  • Resolves: #2065324 - CVE-2022-23943 httpd:2.4/httpd: mod_sed: Read/write
    beyond bounds
    [2.4.37-49]
  • Resolves: #2090848 - CVE-2020-13950 httpd:2.4/httpd: mod_proxy NULL pointer
    dereference
    [2.4.37-48]
  • Resolves: #2065249 - CVE-2022-22720 httpd:2.4/httpd: HTTP request smuggling
    vulnerability in Apache HTTP Server 2.4.52 and earlier
    mod_http2
    [1.15.7-5]
  • Resolves: #2035030 - CVE-2021-44224 httpd:2.4/httpd: possible NULL dereference
    or SSRF in forward proxy configurations
    [1.15.7-4]
  • Resolves: #1966728 - CVE-2021-33193 httpd:2.4/mod_http2: httpd:
    Request splitting via HTTP/2 method injection and mod_proxy

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.348 Low

EPSS

Percentile

97.1%