Lua script related cve

A critical CVE was noted regarding LUA.

Wondering if this relates to OOD’s usage of LUA.

CVE-2021-44790
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

https://nvd.nist.gov/vuln/detail/CVE-2021-44790

Thanks for the heads up! We don’t use r:parsebody() (or deal with the body of requests) so it doesn’t look like it affects us.

Though, you won’t be able to disable the lua module because we do rely on. So sites will have to checkout what other apps/sites that they’re running behind the same apache.

Hi Jeff,

our security folks are not satisfied with your answer and are concerned about OOD’s vulnerability to this CVE. Would you mind providing some more detail about this?

Thanks
Martin

The attack vector is to send a request and when some lua code hits r:parsebody() get a buffer overflow.

We don’t use that API parsebody() anywhere.

Here’s an example of where we use parseargs(), but this CVE is directly related to the function parsebody() which we do not invoke.

As I write this - I can see that we don’t invoke it directly but could invoke it indirectly (maybe parseargs calls parsebody). Shoot, well looks like I’ve got to look into this a bit more.

I can find no other reference to this function other than it’s definition. Meaning any other function like parseargs doesn’t then call parsebody.

So we don’t call it directly and I don’t believe we’re calling it indirectly either.

or a more liberal search.

I also pulled the code to the tag we use and just grepped for it to.

Thanks Jeff. From looking at the source (httpd/modules/lua/lua_request.c), the req_parseargs() is relatively simple and does not call req_parsebody(), which is more complex (buffer allocations, etc), so, it does look like OOD is unaffected by this CVE.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.