lighttpd denial of service vulnerability (CVE-2022-41556)

Advisory ID

WGSA-2024-00005

CVE

CVE-2022-41556

Impact

High

Status

Not Applicable

Product Family

Firebox, Dimension, Secure Wi-Fi

Published Date

2024-02-16

Updated Date

2024-02-16

Workaround Available

False

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.

Affected

No WatchGuard products use the affected version of the lighttpd library

Resolution

No resolution necessary

References

https://nvd.nist.gov/vuln/detail/CVE-2022-41556

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV
Firebox	Fireware OS 12.5.x	T15, T35
Dimension	Dimension	Dimension
Secure Wi-Fi	Wi-Fi 4 & 5	AP125, AP225W, AP325, AP327X, AP420
Secure Wi-Fi	Wi-Fi 6	AP130, AP330, AP332CR, AP430CR, AP432

Liste consultative

Go to