PublicDateAtUSN: 2021-12-20 12:15:00 UTC
Candidate: CVE-2021-44790
PublicDate: 2021-12-20 12:15:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44790
 https://httpd.apache.org/security/vulnerabilities_24.html
 https://ubuntu.com/security/notices/USN-5212-1
 https://ubuntu.com/security/notices/USN-5212-2
Description:
 A carefully crafted request body can cause a buffer overflow in the mod_lua
 multipart parser (r:parsebody() called from Lua scripts). The Apache httpd
 team is not aware of an exploit for the vulnerabilty though it might be
 possible to craft one. This issue affects Apache HTTP Server 2.4.51 and
 earlier.
Ubuntu-Description: 
Notes: 
 mdeslaur> Fixed by r1896039 in 2.4.x
 sbeattie> mod_lua is not runtime enabled with Apache's package config
   in Ubuntu by default.
Mitigation: 
Bugs: 
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_apache2:
 upstream: https://svn.apache.org/viewvc?view=revision&revision=1896039
 upstream: https://github.com/apache/httpd/commit/07b9768cef6a224d256358c404c6ed5622d8acce
upstream_apache2: released (2.4.52)
trusty/esm_apache2: released (2.4.7-1ubuntu4.22+esm3)
esm-infra/xenial_apache2: released (2.4.18-2ubuntu3.17+esm4)
bionic_apache2: released (2.4.29-1ubuntu4.21)
focal_apache2: released (2.4.41-4ubuntu3.9)
hirsute_apache2: released (2.4.46-4ubuntu1.5)
impish_apache2: released (2.4.48-3.1ubuntu3.2)
jammy_apache2: released (2.4.52-1ubuntu1)
devel_apache2: released (2.4.52-1ubuntu1)