{ "threat_severity" : "Important", "public_date" : "2022-03-14T00:00:00Z", "bugzilla" : { "description" : "httpd: mod_sed: Read/write beyond bounds", "id" : "2064319", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2064319" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-787", "details" : [ "Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.", "An out-of-bounds read/write vulnerability was found in the mod_sed module of httpd. This flaw allows an attacker to overwrite the memory of an httpd instance that is using mod_sed with data provided by the attacker." ], "statement" : "The `mod_sed` module is disabled by default on Red Hat Enterprise Linux 7 and 8. For this reason, the flaw has been rated as having a security impact of Moderate. The httpd package as shipped with Red Hat Enterprise Linux 6 is not affected by this flaw because the `mod_sed` module is available only in httpd 2.3 and later.", "affected_release" : [ { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2022-12-08T00:00:00Z", "advisory" : "RHSA-2022:8840", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-httpd-0:2.4.51-37.el8jbcs", "impact" : "moderate" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2022-12-08T00:00:00Z", "advisory" : "RHSA-2022:8840", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-httpd-0:2.4.51-37.el7jbcs", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-11-08T00:00:00Z", "advisory" : "RHSA-2022:7647", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "httpd:2.4-8070020220725152258.3b9f49c4", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2022-11-15T00:00:00Z", "advisory" : "RHSA-2022:8067", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "httpd-0:2.4.53-7.el9", "impact" : "moderate" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2022-09-29T00:00:00Z", "advisory" : "RHSA-2022:6753", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-httpd-0:2.4.34-23.el7.5", "impact" : "moderate" }, { "product_name" : "Text-Only JBCS", "release_date" : "2022-12-08T00:00:00Z", "advisory" : "RHSA-2022:8841", "cpe" : "cpe:/a:redhat:jboss_core_services:1", "package" : "jbcs-httpd24-httpd", "impact" : "moderate" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-23943\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-23943\nhttps://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-23943" ], "name" : "CVE-2022-23943", "mitigation" : { "value" : "Disabling mod_sed and restarting httpd will mitigate this flaw. See https://access.redhat.com/articles/10649 for more information.", "lang" : "en:us" }, "csaw" : false }