CVE-2022-41556 Lighttpd has a resource leak that could lead to a DoS if a lot of clients use the resource to send lots of data.

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67. CVE-2018-13750

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67. CVE-2018-13749

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.

Lighttpd (CVE-2017-7643)

A denial of service vulnerability was found in lighttpd 1.4.39 and earlier, which is caused by a resource leak in gw_backend.c in lighttpd when handling requests with an invalid chunked HTTP request header. Users can send a series of malformed requests to trigger the issue (CVE-2017-7643). This is fixed in lighttpd 1.4.40 (CVE-2017-7653)

A denial of service vulnerability was found in lighttpd 1.4.39 and earlier, which is caused by a resource leak in gw_backend.c when handling requests with an invalid chunked HTTP request header. Users can send a series of malformed requests to trigger the issue (CVE-2017-7643). This is fixed in lighttpd 1.4.40 (CVE-2017-7653)

A denial of service vulnerability was found in lighttpd 1.4.39 and earlier, which is caused by a resource leak in gw_backend when handling requests with an invalid chunked HTTP request header that can cause memory exhaustion after sending malformed requests to it for a short period of time that are not detected until the process crashes or hangs on accessing its own read only data structures (CVE-2017-7634). Use of mod_fastcgi is affected by this vulnerability but is not necessary for exploitation because other common configurations also trigger the issue without using mod_fast

Lighttpd 1.4.x  1.4.67  2.0.10

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67

Timeline

Published on: 10/06/2022 18:17:00 UTC
Last modified on: 10/31/2022 04:15:00 UTC

References

• https://github.com/lighttpd/lighttpd1.4/pull/115
• https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50
• https://github.com/lighttpd/lighttpd1.4/compare/lighttpd-1.4.66...lighttpd-1.4.67
• https://security.gentoo.org/glsa/202210-12
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVOSBSCMLGCHH2Z74H64ZWVDFJFQTBC2/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41556