CVE-2022-29404 Overview
CVE-2022-29404 is a Denial of Service vulnerability affecting Apache HTTP Server versions 2.4.53 and earlier. The flaw exists in the mod_lua module, where a malicious request to a Lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. This allows remote attackers to exhaust server resources by sending specially crafted requests with excessive input data.
Critical Impact
Remote attackers can exploit this vulnerability to cause service unavailability by exhausting server resources through unbounded input processing in Lua scripts, potentially taking down web servers handling critical applications.
Affected Products
- Apache HTTP Server versions up to and including 2.4.53
- Fedora Linux 35 and 36
- NetApp Clustered Data ONTAP
Discovery Timeline
- 2022-06-09 - CVE-2022-29404 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-29404
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue resides in the mod_lua module's r:parsebody() function, which is used to parse the body of HTTP requests within Lua scripts.
When a Lua script calls r:parsebody(0), the parameter 0 indicates that there should be no limit on the input size. However, the implementation fails to enforce any reasonable default maximum, allowing attackers to submit arbitrarily large request bodies. The server will attempt to process this unbounded input, consuming memory and CPU resources until the system becomes unresponsive.
The attack is network-accessible, requires no authentication, and can be executed with low complexity, making it particularly dangerous for publicly accessible Apache web servers that utilize Lua scripting functionality.
Root Cause
The root cause of CVE-2022-29404 is the absence of a default limit on input size when the r:parsebody() function is called with a zero parameter value. The mod_lua module does not implement proper input validation or resource throttling mechanisms to prevent excessive memory allocation during request body parsing. This design oversight allows resource exhaustion attacks when processing maliciously crafted requests.
Attack Vector
An attacker can exploit this vulnerability by sending HTTP requests with extremely large body content to a Lua script endpoint that calls r:parsebody(0). The attack flow involves:
- Identifying a target Apache server running mod_lua with a script that uses r:parsebody(0)
- Crafting HTTP POST requests with excessively large body content
- Sending multiple concurrent requests to amplify resource consumption
- The server attempts to parse the unbounded input, exhausting available memory
- Service becomes unavailable to legitimate users
The vulnerability is exploitable remotely over the network without requiring any authentication or user interaction, making it suitable for automated attacks.
Detection Methods for CVE-2022-29404
Indicators of Compromise
- Unusual memory consumption spikes on Apache HTTP Server processes
- Multiple large POST requests targeting Lua script endpoints in access logs
- Server crashes or restarts due to memory exhaustion
- Abnormally high network traffic to specific endpoints with large request bodies
Detection Strategies
- Monitor Apache access logs for POST requests with unusually large Content-Length headers targeting .lua endpoints
- Implement intrusion detection rules to alert on request bodies exceeding expected size thresholds
- Configure application performance monitoring to detect abnormal memory allocation patterns
- Review server configurations to identify Lua scripts using r:parsebody(0) without size limits
Monitoring Recommendations
- Enable detailed logging for mod_lua module activities
- Set up alerts for Apache process memory consumption exceeding normal thresholds
- Monitor for repeated connection attempts from single IP addresses to Lua endpoints
- Track server availability metrics to detect service degradation patterns
How to Mitigate CVE-2022-29404
Immediate Actions Required
- Upgrade Apache HTTP Server to version 2.4.54 or later, which addresses this vulnerability
- Review all Lua scripts for usage of r:parsebody() and implement explicit size limits
- Consider temporarily disabling mod_lua if not essential for operations
- Implement request body size limits at the web server or reverse proxy level
Patch Information
Apache has addressed this vulnerability in Apache HTTP Server version 2.4.54. The official security advisory is available on the Apache HTTP Server Vulnerabilities page. Additional vendor-specific patches are available:
- Fedora Package Announcement for Fedora 35/36
- NetApp Security Advisory ntap-20220624-0005 for Clustered Data ONTAP
- Gentoo GLSA 202208-20 for Gentoo Linux
Workarounds
- Modify Lua scripts to use r:parsebody() with an explicit, reasonable size limit instead of 0
- Configure LimitRequestBody directive in Apache to restrict maximum request body size
- Deploy a Web Application Firewall (WAF) to filter requests with excessively large bodies
- Use a reverse proxy to implement request size validation before requests reach Apache
# Configuration example - Add to Apache httpd.conf or virtual host configuration
# Limit request body size to 1MB (adjust based on application requirements)
LimitRequestBody 1048576
# For specific Lua script directories, apply stricter limits
<Directory "/var/www/html/lua-scripts">
LimitRequestBody 102400
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
