CVE-2021-44790
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Thanks for the heads up! We don’t use r:parsebody() (or deal with the body of requests) so it doesn’t look like it affects us.
Though, you won’t be able to disable the lua module because we do rely on. So sites will have to checkout what other apps/sites that they’re running behind the same apache.
our security folks are not satisfied with your answer and are concerned about OOD’s vulnerability to this CVE. Would you mind providing some more detail about this?
The attack vector is to send a request and when some lua code hits r:parsebody() get a buffer overflow.
We don’t use that API parsebody() anywhere.
Here’s an example of where we use parseargs(), but this CVE is directly related to the function parsebody() which we do not invoke.
As I write this - I can see that we don’t invoke it directly but could invoke it indirectly (maybe parseargs calls parsebody). Shoot, well looks like I’ve got to look into this a bit more.
Thanks Jeff. From looking at the source (httpd/modules/lua/lua_request.c), the req_parseargs() is relatively simple and does not call req_parsebody(), which is more complex (buffer allocations, etc), so, it does look like OOD is unaffected by this CVE.