CVE-2022-41556 Overview
A resource leak vulnerability exists in gw_backend.c in lighttpd versions 1.4.56 through 1.4.66 that could lead to a denial of service condition through connection-slot exhaustion. The vulnerability is triggered after a large amount of anomalous TCP behavior by clients and is related to RDHUP (Remote Disconnect Hang Up) mishandling in certain HTTP/1.1 chunked transfer situations. Deployments using mod_fastcgi are particularly affected by this issue. The vulnerability has been addressed in lighttpd version 1.4.67.
Critical Impact
This resource exhaustion vulnerability can render lighttpd web servers unavailable by exhausting all available connection slots through malicious TCP behavior, leading to complete service denial for legitimate users.
Affected Products
- lighttpd versions 1.4.56 through 1.4.66
- Fedora Project Fedora 35
Discovery Timeline
- 2022-10-06 - CVE CVE-2022-41556 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-41556
Vulnerability Analysis
This vulnerability represents a classic resource leak scenario in the lighttpd web server's gateway backend handling code. The flaw manifests when processing HTTP/1.1 requests with chunked transfer encoding under specific network conditions. When clients exhibit anomalous TCP behavior, the server fails to properly release connection resources, leading to gradual resource depletion.
The core issue lies in the improper handling of RDHUP (Remote Disconnect Hang Up) events during chunked HTTP/1.1 transfers. RDHUP is a socket notification mechanism that indicates the remote peer has closed its end of the connection for writing. When lighttpd receives these signals in certain chunked transfer scenarios, it fails to properly clean up the associated connection slots, causing them to remain allocated indefinitely.
Root Cause
The root cause is classified as CWE-401 (Missing Release of Memory after Effective Lifetime). In gw_backend.c, the code path responsible for handling backend gateway connections does not properly release connection resources when encountering RDHUP events during HTTP/1.1 chunked transfers. This results in connection slots being held in an unusable state, gradually consuming all available connection capacity.
The issue specifically affects the interaction between the frontend HTTP connection handling and the backend FastCGI/proxy communication layer. When the remote client exhibits unusual TCP behavior (such as sending RST packets or half-closing connections during chunked transfers), the backend connection state machine fails to transition properly to release the associated resources.
Attack Vector
The attack can be executed remotely over the network without authentication or user interaction. An attacker would need to establish multiple TCP connections to the vulnerable lighttpd server and deliberately exhibit anomalous TCP behavior during HTTP/1.1 chunked transfer requests.
The attack methodology involves:
- Establishing HTTP/1.1 connections to the target server
- Initiating requests that utilize chunked transfer encoding to backend modules (such as mod_fastcgi)
- Manipulating TCP connection behavior (half-closing, sending unexpected packets, or timing manipulation)
- Repeating the process to gradually exhaust available connection slots
As connection slots become exhausted, the server becomes unable to accept new legitimate connections, resulting in denial of service.
Detection Methods for CVE-2022-41556
Indicators of Compromise
- Unusual increase in half-open or stuck TCP connections on lighttpd ports (typically 80/443)
- Connection pool exhaustion warnings or errors in lighttpd server logs
- Gradual increase in memory consumption without corresponding traffic increase
- Legitimate client connections being refused with "connection refused" or timeout errors
Detection Strategies
- Monitor lighttpd connection pool utilization metrics for abnormal patterns approaching maximum thresholds
- Implement connection tracking to identify clients exhibiting unusual TCP behavior patterns during chunked transfers
- Configure alerting on sudden increases in connection establishment rates combined with low request completion rates
- Review server logs for patterns indicating incomplete HTTP/1.1 chunked transfers
Monitoring Recommendations
- Set up continuous monitoring of active connection counts versus configured connection limits
- Implement network-level monitoring for anomalous TCP state patterns (excessive FIN_WAIT, CLOSE_WAIT states)
- Deploy application performance monitoring to track request completion rates versus connection establishment rates
- Configure real-time alerting when connection utilization exceeds 80% of maximum configured slots
How to Mitigate CVE-2022-41556
Immediate Actions Required
- Upgrade lighttpd to version 1.4.67 or later immediately
- Review current connection pool utilization to ensure no ongoing exploitation
- Implement connection rate limiting at the network or load balancer level as a temporary measure
- Consider temporarily disabling or restricting access to mod_fastcgi endpoints if immediate patching is not possible
Patch Information
The vulnerability is fixed in lighttpd version 1.4.67. The fix addresses the RDHUP handling logic in gw_backend.c to ensure proper resource cleanup under all connection termination scenarios. Organizations should upgrade to this version or later as soon as possible.
The specific fix can be reviewed in the Lighttpd Commit Update. A comparison of changes between the vulnerable and patched versions is available in the Lighttpd Version Comparison.
For Fedora users, updated packages are available through the Fedora Package Announcement. Gentoo users should refer to the Gentoo GLSA Advisory.
Workarounds
- Implement aggressive connection timeouts to automatically release stuck connections
- Deploy a reverse proxy or load balancer in front of lighttpd to filter anomalous connection behavior
- Configure server.max-connections to a lower value with automatic connection cleanup to limit impact
- Use firewall rules to rate-limit new connections per source IP address
# Configuration example for connection limits
# Add to lighttpd.conf to mitigate connection exhaustion
server.max-connections = 1024
server.max-keep-alive-requests = 100
server.max-keep-alive-idle = 30
server.event-handler = "linux-sysepoll"
# Network-level rate limiting using iptables
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j DROP
iptables -A INPUT -p tcp --dport 443 -m connlimit --connlimit-above 50 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
