CVE-2022-22721 Overview
CVE-2022-22721 is a critical integer overflow vulnerability affecting Apache HTTP Server versions 2.4.52 and earlier running on 32-bit systems. When the LimitXMLRequestBody directive is configured to allow request bodies larger than 350MB (the default limit is 1MB), an integer overflow occurs during size calculations. This overflow subsequently causes out-of-bounds writes, potentially allowing attackers to corrupt memory and compromise system integrity or availability.
Critical Impact
Remote attackers can exploit this integer overflow to cause out-of-bounds memory writes on vulnerable 32-bit Apache HTTP Server installations, potentially leading to denial of service or arbitrary code execution.
Affected Products
- Apache HTTP Server versions up to and including 2.4.52
- Fedora 34, 35, and 36
- Debian Linux 9.0
- Oracle Enterprise Manager Ops Center 12.4.0.0
- Oracle HTTP Server 12.2.1.3.0 and 12.2.1.4.0
- Oracle ZFS Storage Appliance Kit 8.8
- Apple macOS and Mac OS X (various versions through security updates)
Discovery Timeline
- March 14, 2022 - CVE-2022-22721 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-22721
Vulnerability Analysis
This vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). The flaw exists in how Apache HTTP Server handles XML request body size calculations on 32-bit architectures. When administrators configure LimitXMLRequestBody to permit request bodies exceeding 350MB, the server performs arithmetic operations on the request size that can exceed the maximum value representable by a 32-bit signed integer.
The integer overflow causes the calculated buffer size to wrap around to a much smaller value than the actual request size. Subsequently, when the server allocates memory based on this incorrect calculation and attempts to write the full request body into the undersized buffer, out-of-bounds writes occur. This can corrupt adjacent memory regions, crash the server, or potentially allow attackers to gain control of execution flow.
Root Cause
The root cause is improper integer handling in the XML request body processing code when operating on 32-bit systems. The LimitXMLRequestBody directive accepts values up to 2GB, but on 32-bit systems, size calculations involving values above approximately 350MB can overflow signed 32-bit integers. The default 1MB limit prevents this issue under normal configurations, but administrators who increase this limit to accommodate large XML payloads inadvertently expose their systems to this vulnerability.
Attack Vector
Exploitation requires network access to a vulnerable Apache HTTP Server. An attacker can craft a malicious HTTP request containing an XML body larger than 350MB targeting a 32-bit server where LimitXMLRequestBody has been increased above this threshold. No authentication is required, and no user interaction is needed.
The attack flow involves:
- Identifying a 32-bit Apache HTTP Server with an elevated LimitXMLRequestBody setting
- Sending an HTTP request with a specially crafted XML body exceeding 350MB
- Triggering the integer overflow during size calculation
- Exploiting the resulting out-of-bounds write for denial of service or potential code execution
The vulnerability mechanism centers on the arithmetic overflow occurring when large request body sizes are processed. When the calculated size wraps around to a small positive or even negative value, subsequent memory operations write beyond allocated buffer boundaries. For detailed technical analysis, refer to the Apache HTTP Server Security Advisory and the OSS-Security disclosure.
Detection Methods for CVE-2022-22721
Indicators of Compromise
- Unusually large HTTP requests (exceeding 350MB) targeting Apache servers
- Apache HTTP Server crashes or unexpected restarts on 32-bit systems
- Memory corruption indicators in Apache error logs
- Anomalous XML-based POST requests with extremely large Content-Length headers
Detection Strategies
- Monitor Apache access logs for requests with Content-Length headers exceeding 350MB
- Implement network-level inspection for oversized HTTP request bodies targeting web servers
- Deploy memory corruption detection tools on 32-bit Apache installations
- Use intrusion detection signatures matching large XML request body patterns
Monitoring Recommendations
- Enable verbose logging for Apache HTTP Server to capture request size anomalies
- Configure alerts for Apache process crashes or unexpected terminations
- Monitor system memory utilization for signs of buffer overflow exploitation
- Review Apache configuration files regularly for elevated LimitXMLRequestBody values
How to Mitigate CVE-2022-22721
Immediate Actions Required
- Upgrade Apache HTTP Server to version 2.4.53 or later immediately
- Verify LimitXMLRequestBody is set to the default value of 1MB or lower on 32-bit systems
- Consider migrating critical 32-bit Apache deployments to 64-bit architecture
- Apply vendor-specific patches from Oracle, Apple, Fedora, and Debian as applicable
Patch Information
Apache Software Foundation has addressed this vulnerability in Apache HTTP Server version 2.4.53. Security patches are available from multiple vendors:
- Apache: Upgrade to httpd 2.4.53 or later via the Apache HTTP Server download page
- Oracle: Patches available in the April 2022 Critical Patch Update and July 2022 CPU
- Apple: Security updates documented in HT213255, HT213256, and HT213257
- Fedora: Updated packages available via Fedora Package Announcements
- Debian: Advisory available via Debian LTS Announcement
- Gentoo: See GLSA 202208-20
- NetApp: Advisory at NTAP-20220321-0001
Workarounds
- Ensure LimitXMLRequestBody directive is set to 1MB or less on all 32-bit Apache installations
- Implement web application firewall rules to block requests exceeding 350MB
- Use reverse proxy configurations to filter oversized requests before they reach vulnerable servers
- Consider disabling XML body parsing if not required for application functionality
# Configuration example - Ensure safe LimitXMLRequestBody value
# Add to httpd.conf or appropriate configuration file
# Set LimitXMLRequestBody to default safe value (1MB)
LimitXMLRequestBody 1048576
# Alternatively, for stricter environments, use a lower value
# LimitXMLRequestBody 524288
# Verify current Apache version
httpd -v
# Check for 32-bit vs 64-bit installation
file /usr/sbin/httpd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
