Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2022-22720

CVE-2022-22720: Apache HTTP Server DoS Vulnerability

CVE-2022-22720 is a DoS vulnerability in Apache HTTP Server 2.4.52 and earlier that exposes systems to HTTP Request Smuggling attacks. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2022-22720 Overview

Apache HTTP Server 2.4.52 and earlier contains a vulnerability where the server fails to close inbound connections when errors are encountered while discarding the request body. This improper connection handling exposes the server to HTTP Request Smuggling attacks, allowing malicious actors to potentially bypass security controls, poison web caches, and hijack user sessions.

Critical Impact

This HTTP Request Smuggling vulnerability enables attackers to bypass front-end security controls, access unauthorized resources, and potentially compromise backend systems through desynchronization attacks on connection handling.

Affected Products

  • Apache HTTP Server versions up to and including 2.4.52
  • Fedora 34, 35, and 36
  • Debian Linux 9.0
  • Oracle Enterprise Manager Ops Center 12.4.0.0
  • Oracle HTTP Server 12.2.1.3.0 and 12.2.1.4.0
  • Oracle ZFS Storage Appliance Kit 8.8
  • Apple macOS and Mac OS X 10.15.7 (various security update versions)

Discovery Timeline

  • 2022-03-14 - CVE-2022-22720 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-22720

Vulnerability Analysis

This vulnerability (CWE-444: Inconsistent Interpretation of HTTP Requests) represents a classic HTTP Request Smuggling flaw stemming from improper connection state management. When Apache HTTP Server encounters an error while discarding a request body, it fails to properly close the inbound connection. This leaves the connection in an inconsistent state where remnants of the malformed request can be interpreted as the beginning of a subsequent request.

HTTP Request Smuggling attacks exploit discrepancies between how front-end and back-end servers interpret HTTP request boundaries. In this case, an attacker can craft a malicious request that causes Apache to misinterpret where one request ends and another begins. The vulnerability is particularly dangerous in environments where Apache sits behind a reverse proxy or load balancer, as the desynchronization between systems can lead to request routing confusion.

Root Cause

The root cause lies in Apache HTTP Server's error handling logic when processing request bodies. Under normal operation, when a request includes a body (indicated by Content-Length or Transfer-Encoding headers), the server must fully consume or discard this body before processing the next request on the same connection. When an error occurs during this discard operation, the server should close the connection to prevent any leftover data from being misinterpreted.

However, in vulnerable versions, the connection remains open after such errors. Any unread data from the malformed request body stays in the connection buffer and gets treated as part of the next legitimate request. This creates the smuggling condition where an attacker-controlled payload crosses request boundaries.

Attack Vector

The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending specially crafted HTTP requests designed to trigger error conditions during body processing while leaving malicious content in the connection stream.

In a typical exploitation scenario, the attacker sends a request with conflicting Content-Length and Transfer-Encoding headers, or a request body that intentionally triggers parsing errors. The remnant data left in the connection can then:

  • Hijack the next legitimate user's request
  • Poison web cache entries with malicious content
  • Bypass access controls by appearing to originate from trusted internal sources
  • Exfiltrate data by routing responses to attacker-controlled endpoints

The technical details of exploitation involve manipulating HTTP request boundaries through careful crafting of headers and body content that survive the error-handling path.

Detection Methods for CVE-2022-22720

Indicators of Compromise

  • Unusual patterns of HTTP 400 errors followed by successful requests on the same connection
  • Log entries showing malformed Content-Length or Transfer-Encoding headers
  • Evidence of cache poisoning or unexpected content in cached responses
  • Requests appearing to originate from internal addresses when they should be external

Detection Strategies

  • Monitor Apache access and error logs for requests with conflicting Content-Length and Transfer-Encoding headers
  • Implement web application firewall (WAF) rules to detect and block HTTP Request Smuggling patterns
  • Deploy intrusion detection systems (IDS) with signatures for request smuggling techniques
  • Analyze connection persistence patterns for anomalous behavior during error conditions

Monitoring Recommendations

  • Enable detailed Apache logging including request body information where feasible
  • Set up alerts for spikes in HTTP 400-series errors that may indicate exploitation attempts
  • Monitor for unusual cache behavior or content that doesn't match expected responses
  • Track connection reuse patterns between front-end proxies and Apache backend servers

How to Mitigate CVE-2022-22720

Immediate Actions Required

  • Upgrade Apache HTTP Server to version 2.4.53 or later immediately
  • Review and apply vendor-specific patches from Oracle, Apple, and Linux distribution maintainers
  • Audit configurations to ensure proper request body handling and connection management
  • Temporarily disable connection keep-alive if patching cannot be performed immediately

Patch Information

Apache has addressed this vulnerability in version 2.4.53 and later releases. Organizations should consult the official Apache HTTPD Vulnerabilities List for authoritative patch information.

For downstream vendors:

Workarounds

  • Disable HTTP keep-alive connections by setting KeepAlive Off in Apache configuration to prevent connection reuse exploitation
  • Implement strict request validation at the reverse proxy or load balancer layer to normalize requests before they reach Apache
  • Configure front-end proxies to close connections when errors are detected rather than reusing them
  • Deploy a web application firewall with HTTP Request Smuggling detection capabilities
bash
# Temporary mitigation: Disable keep-alive connections
# Add to Apache configuration file (httpd.conf or apache2.conf)
KeepAlive Off

# Alternative: Reduce KeepAliveTimeout to minimize exposure window
KeepAlive On
KeepAliveTimeout 2
MaxKeepAliveRequests 50

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne