{
  "threat_severity" : "Moderate",
  "public_date" : "2022-03-14T00:00:00Z",
  "bugzilla" : {
    "description" : "httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody",
    "id" : "2064320",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2064320"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-787",
  "details" : [ "If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.", "A flaw was found in httpd, where it incorrectly limits the value of the LimitXMLRequestBody option. This issue can lead to an integer overflow and later causes an out-of-bounds write." ],
  "statement" : "The default configuration of the LimitXMLRequestBody option on RHEL is 1MB and therefore is not vulnerable to this flaw. Also, this issue is known to only affect 32bit httpd builds.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2022-12-08T00:00:00Z",
    "advisory" : "RHSA-2022:8840",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-httpd-0:2.4.51-37.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2022-12-08T00:00:00Z",
    "advisory" : "RHSA-2022:8840",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.51-37.el7jbcs"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-11-08T00:00:00Z",
    "advisory" : "RHSA-2022:7647",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "httpd:2.4-8070020220725152258.3b9f49c4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8067",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "httpd-0:2.4.53-7.el9"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2022-09-29T00:00:00Z",
    "advisory" : "RHSA-2022:6753",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-httpd-0:2.4.34-23.el7.5"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2022-12-08T00:00:00Z",
    "advisory" : "RHSA-2022:8841",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "jbcs-httpd24-httpd"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-22721\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-22721\nhttps://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22721" ],
  "name" : "CVE-2022-22721",
  "mitigation" : {
    "value" : "Set the LimitXMLRequestBody option to a value smaller than 350MB. Setting it to 0 is not recommended as it will use a hard limit (depending on 32bit or 64bit systems) which may result in an overall system out-of-memory. The default configuration is not vulnerable to this flaw, see the statement above.",
    "lang" : "en:us"
  },
  "csaw" : false
}