Security update for apache2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:2101-1 Final 1 1 2022-06-16T12:47:15Z current 2022-06-16T12:47:15Z 2022-06-16T12:47:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following issues: - CVE-2022-26377: Fixed possible request smuggling in mod_proxy_ajp (bsc#1200338) - CVE-2022-28614: Fixed read beyond bounds via ap_rwrite() (bsc#1200340) - CVE-2022-28615: Fixed read beyond bounds in ap_strcmp_match() (bsc#1200341) - CVE-2022-29404: Fixed denial of service in mod_lua r:parsebody (bsc#1200345) - CVE-2022-30556: Fixed information disclosure in mod_lua with websockets (bsc#1200350) - CVE-2022-30522: Fixed mod_sed denial of service (bsc#1200352) - CVE-2022-31813: Fixed mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (bsc#1200348) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-2101,SUSE-SLE-SDK-12-SP5-2022-2101,SUSE-SLE-SERVER-12-SP5-2022-2101 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20222101-1/ Link for SUSE-SU-2022:2101-1 https://lists.suse.com/pipermail/sle-security-updates/2022-June/011298.html E-Mail link for SUSE-SU-2022:2101-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1200338 SUSE Bug 1200338 https://bugzilla.suse.com/1200340 SUSE Bug 1200340 https://bugzilla.suse.com/1200341 SUSE Bug 1200341 https://bugzilla.suse.com/1200345 SUSE Bug 1200345 https://bugzilla.suse.com/1200348 SUSE Bug 1200348 https://bugzilla.suse.com/1200350 SUSE Bug 1200350 https://bugzilla.suse.com/1200352 SUSE Bug 1200352 https://www.suse.com/security/cve/CVE-2022-26377/ SUSE CVE CVE-2022-26377 page https://www.suse.com/security/cve/CVE-2022-28614/ SUSE CVE CVE-2022-28614 page https://www.suse.com/security/cve/CVE-2022-28615/ SUSE CVE CVE-2022-28615 page https://www.suse.com/security/cve/CVE-2022-29404/ SUSE CVE CVE-2022-29404 page https://www.suse.com/security/cve/CVE-2022-30522/ SUSE CVE CVE-2022-30522 page https://www.suse.com/security/cve/CVE-2022-30556/ SUSE CVE CVE-2022-30556 page https://www.suse.com/security/cve/CVE-2022-31813/ SUSE CVE CVE-2022-31813 page SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 apache2-2.4.51-35.19.1 apache2-devel-2.4.51-35.19.1 apache2-doc-2.4.51-35.19.1 apache2-event-2.4.51-35.19.1 apache2-example-pages-2.4.51-35.19.1 apache2-prefork-2.4.51-35.19.1 apache2-utils-2.4.51-35.19.1 apache2-worker-2.4.51-35.19.1 apache2-2.4.51-35.19.1 as a component of SUSE Linux Enterprise Server 12 SP5 apache2-doc-2.4.51-35.19.1 as a component of SUSE Linux Enterprise Server 12 SP5 apache2-example-pages-2.4.51-35.19.1 as a component of SUSE Linux Enterprise Server 12 SP5 apache2-prefork-2.4.51-35.19.1 as a component of SUSE Linux Enterprise Server 12 SP5 apache2-utils-2.4.51-35.19.1 as a component of SUSE Linux Enterprise Server 12 SP5 apache2-worker-2.4.51-35.19.1 as a component of SUSE Linux Enterprise Server 12 SP5 apache2-2.4.51-35.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 apache2-doc-2.4.51-35.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 apache2-example-pages-2.4.51-35.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 apache2-prefork-2.4.51-35.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 apache2-utils-2.4.51-35.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 apache2-worker-2.4.51-35.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 apache2-devel-2.4.51-35.19.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. CVE-2022-26377 SUSE Linux Enterprise Server 12 SP5:apache2-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-doc-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-example-pages-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-prefork-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-utils-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-worker-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-doc-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-example-pages-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-prefork-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-utils-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-worker-2.4.51-35.19.1 SUSE Linux Enterprise Software Development Kit 12 SP5:apache2-devel-2.4.51-35.19.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20222101-1/ https://www.suse.com/security/cve/CVE-2022-26377.html CVE-2022-26377 https://bugzilla.suse.com/1200338 SUSE Bug 1200338 The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue. CVE-2022-28614 SUSE Linux Enterprise Server 12 SP5:apache2-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-doc-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-example-pages-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-prefork-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-utils-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-worker-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-doc-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-example-pages-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-prefork-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-utils-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-worker-2.4.51-35.19.1 SUSE Linux Enterprise Software Development Kit 12 SP5:apache2-devel-2.4.51-35.19.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20222101-1/ https://www.suse.com/security/cve/CVE-2022-28614.html CVE-2022-28614 https://bugzilla.suse.com/1200340 SUSE Bug 1200340 Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. CVE-2022-28615 SUSE Linux Enterprise Server 12 SP5:apache2-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-doc-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-example-pages-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-prefork-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-utils-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-worker-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-doc-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-example-pages-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-prefork-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-utils-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-worker-2.4.51-35.19.1 SUSE Linux Enterprise Software Development Kit 12 SP5:apache2-devel-2.4.51-35.19.1 important 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20222101-1/ https://www.suse.com/security/cve/CVE-2022-28615.html CVE-2022-28615 https://bugzilla.suse.com/1200341 SUSE Bug 1200341 In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. CVE-2022-29404 SUSE Linux Enterprise Server 12 SP5:apache2-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-doc-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-example-pages-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-prefork-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-utils-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-worker-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-doc-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-example-pages-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-prefork-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-utils-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-worker-2.4.51-35.19.1 SUSE Linux Enterprise Software Development Kit 12 SP5:apache2-devel-2.4.51-35.19.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20222101-1/ https://www.suse.com/security/cve/CVE-2022-29404.html CVE-2022-29404 https://bugzilla.suse.com/1200345 SUSE Bug 1200345 If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort. CVE-2022-30522 SUSE Linux Enterprise Server 12 SP5:apache2-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-doc-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-example-pages-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-prefork-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-utils-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-worker-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-doc-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-example-pages-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-prefork-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-utils-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-worker-2.4.51-35.19.1 SUSE Linux Enterprise Software Development Kit 12 SP5:apache2-devel-2.4.51-35.19.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20222101-1/ https://www.suse.com/security/cve/CVE-2022-30522.html CVE-2022-30522 https://bugzilla.suse.com/1200352 SUSE Bug 1200352 Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. CVE-2022-30556 SUSE Linux Enterprise Server 12 SP5:apache2-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-doc-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-example-pages-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-prefork-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-utils-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-worker-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-doc-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-example-pages-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-prefork-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-utils-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-worker-2.4.51-35.19.1 SUSE Linux Enterprise Software Development Kit 12 SP5:apache2-devel-2.4.51-35.19.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20222101-1/ https://www.suse.com/security/cve/CVE-2022-30556.html CVE-2022-30556 https://bugzilla.suse.com/1200350 SUSE Bug 1200350 Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. CVE-2022-31813 SUSE Linux Enterprise Server 12 SP5:apache2-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-doc-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-example-pages-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-prefork-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-utils-2.4.51-35.19.1 SUSE Linux Enterprise Server 12 SP5:apache2-worker-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-doc-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-example-pages-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-prefork-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-utils-2.4.51-35.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-worker-2.4.51-35.19.1 SUSE Linux Enterprise Software Development Kit 12 SP5:apache2-devel-2.4.51-35.19.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20222101-1/ https://www.suse.com/security/cve/CVE-2022-31813.html CVE-2022-31813 https://bugzilla.suse.com/1200348 SUSE Bug 1200348 https://bugzilla.suse.com/1219585 SUSE Bug 1219585 https://bugzilla.suse.com/1225670 SUSE Bug 1225670