Initiativen für
    
    Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
      
     
                  Reference:
Advisory #2022-006
Version:
1.0
Affected software:
Apache HTTP Server 2.4 version 2.4.52
Type:
Denial-of-Service and Remote Code Execution
CVE/CVSS:
CVE-2022-22719: CVSS 7.5- Improper Initialization could lead to DoS
https://httpd.apache.org/security/vulnerabilities_24.html
Apache published a new version, 2.4.53, that contains fixes for several critical vulnerabilities currently present in Apache HTTP Server software. An unpatched Apache HTTP server exposes users to several HTTP server attacks. The successful exploitation of these flaws could lead to code execution or denial-of-service attacks. While exploitable there are no active exploitation attempts observed at the time of writing.
JFrog released a security blog highlighting CVE-2022-23943 and giving a technical overview of the vulnerability.
The Centre for Cyber security Belgium recommends upgrading to Apache version 2.4.53 which contains fixes for the above mentioned vulnerabilities with the highest priority. Updates can be found on the Apache HTTP Server Project
If upgrading Apache to the latest version or applying the patch isn't possible, you are required to limit the POST method’s body size. This can be achieved with the LimitRequestBody directive in Apache’s configuration file. The directive can be used to set a limit to the request size starting from 0 and up to 2GB of data.
This mitigation only provides protection against malicious client requests, it still allows attackers to use mod_sed to modify large files (>2GB) that are present on the vulnerable server.
https://jfrog.com/blog/diving-into-cve-2022-23943-a-new-apache-memory-corruption-vulnerability/
https://access.redhat.com/security/cve/cve-2022-23943
https://www.iicybersecurity.com/4-critical-vulnerabilities-patched-in-apache-http-server.html