Some days ago the release of the new corrective version of the server Apache HTTP 2.4.53, which introduces 14 changes and fixes 4 vulnerabilities. In the announcement of this new version it is mentioned that it is the last release of the branch 2.4.x release of Apache HTTPD and represents fifteen years of innovation by the project, and is recommended over all previous versions.
For those who do not know about Apache, they should know that this is a popular open source HTTP web server, which is available for Unix platforms (BSD, GNU / Linux, etc.), Microsoft Windows, Macintosh and others.
What's new in Apache 2.4.53?
In the release of this new version of Apache 2.4.53 the most notable non-security related changes are in mod_proxy, in which the limit on the number of characters was increased in the name of the controller, plus the ability to power was also added selectively configure timeouts for backend and frontend (for example, in relation to a worker). For requests sent via websockets or the CONNECT method, the timeout has been changed to the maximum value set for the backend and frontend.
Another of the changes that stands out in this new version is the separate handling of opening DBM files and loading the DBM driver. In the event of a crash, the log now shows more detailed information about the error and the driver.
En mod_md stopped processing requests to /.well-known/acme-challenge/ unless the domain configuration explicitly enabled the use of the 'http-01' challenge type, while in mod_dav a regression was fixed that caused high memory consumption when processing a large number of resources.
On the other hand, it is also highlighted that the ability to use pcre2 library (10.x) instead of pcre (8.x) to process regular expressions and also added LDAP anomaly parsing support to query filters to correctly filter data when attempting to perform LDAP construct substitution attacks and that mpm_event fixed a deadlock that occurs when rebooting or exceeding the MaxConnectionsPerChild limit on highly loaded systems.
Of the vulnerabilities that were solved in this new version, the following are mentioned:
- CVE-2022-22720: this allowed the possibility of being able to perform an "HTTP request smuggling" attack, which allows, by sending specially crafted client requests, to hack into the content of other users' requests transmitted through mod_proxy (for example, it can achieve the substitution of malicious JavaScript code in another user's session of the site). The issue is caused by incoming connections being left open after encountering errors processing an invalid request body.
- CVE-2022-23943: this was a buffer overflow vulnerability in the mod_sed module that allows heap memory to be overwritten with attacker-controlled data.
- CVE-2022-22721: This vulnerability allowed the ability to write to the buffer out of bounds due to an integer overflow that occurs when passing a request body larger than 350 MB. The problem manifests itself on 32-bit systems in which the LimitXMLRequestBody value is configured too high (by default 1 MB, for an attack the limit must be greater than 350 MB).
- CVE-2022-22719: this is a vulnerability in mod_lua that allows reading random memory areas and blocking the process when a specially crafted request body is processed. The problem is caused by the use of uninitialized values in the code of the r:parsebody function.
Finally if you want to know more about it about this new release, you can check the details in the following link.
Download
You can get the new version by going to the official Apache website and in its download section you will find the link to the new version.