Vulnerability Apache HTTP Server (CVE-2021-44790)

a3093 · December 28, 2021, 10:10am

Apache has published a vulnerability for HTTP Server. Checkmk does not update the apache server in its updates?

https://httpd.apache.org/security/vulnerabilities_24.html

high: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier (CVE-2021-44790)
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r: parsebody () called from Lua scripts).

The Apache httpd team is not aware of an exploit for the vulnerability though it might be possible to craft one.

This issue affects Apache HTTP Server 2.4.51 and earlier.

Acknowledgments: Chamal

Reported to security team 2021-12-07
Fixed by r1896039 in 2.4.x 2021-12-16
Update 2.4.52 released 2021-12-20
Affects <= 2.4.51

a3093 · December 28, 2021, 10:41am

Do you know if checkmk uses moad_lua or can it be disabled from apache server?

OMD[cmk_site]:~$ httpd -version
Server version: Apache/2.4.6 (CentOS)
Server built: Nov 10 2021 14:26:31

tosch · December 28, 2021, 10:50am

Hi @a3093,

checkmk doesn’t use mod_lua. As far as i know mod_lua is used rarely and sparse because it allows a wide range of access to the underlying host.

martin.schwarz · December 28, 2021, 10:52am

Checkmk does not bring its own Apache httpd. It just uses the software installed in the system (CentOS in your case).

I would be very surprised if Checkmk used mod_lua.
mod_lua is not enabled in my (Debian-based) Checkmk installations.

system · December 28, 2022, 10:53am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.