CVE-2022-22720
📋 TL;DR
Apache HTTP Server versions 2.4.52 and earlier contain a vulnerability where the server fails to properly close inbound connections when encountering errors while discarding request bodies. This allows attackers to perform HTTP request smuggling attacks, potentially bypassing security controls and accessing restricted resources. Any system running vulnerable Apache versions with HTTP/1.1 enabled is affected.
💻 Affected Systems
- Apache HTTP Server
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass security controls like web application firewalls, access restricted backend systems, poison caches, or perform session hijacking through request smuggling.
Likely Case
Attackers bypass security controls to access restricted content or perform session fixation attacks against users.
If Mitigated
With proper network segmentation and WAF rules, impact is limited to potential service disruption or limited information disclosure.
🎯 Exploit Status
Exploitation requires understanding of HTTP protocol manipulation and request smuggling techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache HTTP Server 2.4.53
Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html
Restart Required: Yes
Instructions:
1. Download Apache 2.4.53 or later from httpd.apache.org. 2. Stop Apache service. 3. Backup configuration files. 4. Install new version. 5. Restart Apache service.
🔧 Temporary Workarounds
Disable HTTP/1.1
allForce HTTP/2 usage only to avoid the vulnerability
Protocols h2 http/1.1
ProtocolsHonorOrder On
Request Body Size Limiting
allLimit request body sizes to reduce attack surface
LimitRequestBody 1048576
🧯 If You Can't Patch
- Implement a web application firewall with HTTP request smuggling detection rules
- Use reverse proxy with request validation and normalization
🔍 How to Verify
Check if Vulnerable:
Check Apache version with 'httpd -v' or 'apache2 -v'. If version is 2.4.52 or earlier, system is vulnerable.Check Version:
httpd -vVerify Fix Applied:
After patching, verify version is 2.4.53 or later and test with HTTP request smuggling test tools.📡 Detection & Monitoring
Log Indicators:
- Multiple requests from same connection with malformed headers
- Unexpected 400/413 errors
- Requests with unusual Content-Length or Transfer-Encoding headers
Network Indicators:
- HTTP requests with conflicting Content-Length and Transfer-Encoding headers
- Requests that cause connection persistence anomalies
SIEM Query:
source="apache_access" AND ("Transfer-Encoding" OR "Content-Length") AND status=400🔗 References
- http://seclists.org/fulldisclosure/2022/May/33
- http://seclists.org/fulldisclosure/2022/May/35
- http://seclists.org/fulldisclosure/2022/May/38
- http://www.openwall.com/lists/oss-security/2022/03/14/3
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20220321-0001/
- https://support.apple.com/kb/HT213255
- https://support.apple.com/kb/HT213256
- https://support.apple.com/kb/HT213257
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://seclists.org/fulldisclosure/2022/May/33
- http://seclists.org/fulldisclosure/2022/May/35
- http://seclists.org/fulldisclosure/2022/May/38
- http://www.openwall.com/lists/oss-security/2022/03/14/3
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20220321-0001/
- https://support.apple.com/kb/HT213255
- https://support.apple.com/kb/HT213256
- https://support.apple.com/kb/HT213257
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
