Security Advisory

HTTPD - CVE-2022-22720
Published: May 12, 2022
Last Update: July 26, 2022

In March 2022, apache.org disclosed [1] an HTTPD vulnerability that may expose the server to HTTP request smuggling when the HTTP daemon does not close an inbound connection following errors encountered when attempting to discard an HTTP request body. This vulnerability may affect the GUI and AXAPI management plane services of ACOS devices and is addressed in this document.

Item Score
# Vulnerability ID Source Score Summary
1 CVE-2022-22720 CVSS 3.0 9.8 Critical httpd: Errors encountered during the discarding of request body lead to HTTP request smuggling [2]
Affected Releases

The table below indicates releases of ACOS exposed to this vulnerability and ACOS releases that address them. ACOS release families not indicated below are unaffected by these vulnerabilities.

Customers using affected ACOS releases can overcome vulnerability exposures by updating to the indicated resolved release. If the table does not list a corresponding resolved or unaffected release, then no ACOS release update is currently available.

Releases Affected Releases Resolved or Unaffected
5.0.0 - 5.2.1-P5 5.2.1-P6
5.0.1 TPS - 5.0.2-P1 TPS 5.0.2-P2-TPS
4.1.4-GR1 - 4.1.4-GR1-P10 4.1.4-GR1-P11
3.2.3-P1 - 3.2.5-P6 5.0.2-P2
Workarounds and Mitigations


Software Updates

Software updates that address these vulnerabilities are or will be published at the following URL:

Vulnerability Details

The following table shares brief descriptions for the vulnerabilities addressed in this document.

Vulnerability ID Vulnerability Description

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling.



Modification History
Revision Date Description
1.0 May 12, 2022

Initial Publication

1.1 July 26, 2022

Updated 5.2.1 resolved release to 5.2.1-P6

© Copyright 2022 A10 Networks, Inc. All Rights Reserved.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability, non-infringement or fitness for a particular use. Your use of the information in this document or materials linked from this document is at your own risk. A10 Networks, Inc. reserves the right to change or update the information in this document at any time.