In March 2022, apache.org disclosed  an HTTPD vulnerability that may expose the server to HTTP request smuggling when the HTTP daemon does not close an inbound connection following errors encountered when attempting to discard an HTTP request body. This vulnerability may affect the GUI and AXAPI management plane services of ACOS devices and is addressed in this document.
|1||CVE-2022-22720||CVSS 3.0||9.8 Critical||httpd: Errors encountered during the discarding of request body lead to HTTP request smuggling |
The table below indicates releases of ACOS exposed to this vulnerability and ACOS releases that address them. ACOS release families not indicated below are unaffected by these vulnerabilities.
Customers using affected ACOS releases can overcome vulnerability exposures by updating to the indicated resolved release. If the table does not list a corresponding resolved or unaffected release, then no ACOS release update is currently available.
|Releases Affected||Releases Resolved or Unaffected|
|5.0.0 - 5.2.1-P5||5.2.1-P6|
|5.0.1 TPS - 5.0.2-P1 TPS||5.0.2-P2-TPS|
|4.1.4-GR1 - 4.1.4-GR1-P10||4.1.4-GR1-P11|
|3.2.3-P1 - 3.2.5-P6||5.0.2-P2|
Software updates that address these vulnerabilities are or will be published at the following URL:
The following table shares brief descriptions for the vulnerabilities addressed in this document.
|Vulnerability ID||Vulnerability Description|
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling.
|Ref #||General Link|
|1||Apache.org - Apache HTTP Server 2.4 vulnerabilities|
|2||NIST NVD, CVE-2022-22720|
|1.0||May 12, 2022||
|1.1||July 26, 2022||
Updated 5.2.1 resolved release to 5.2.1-P6
© Copyright 2022 A10 Networks, Inc. All Rights Reserved.
This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability, non-infringement or fitness for a particular use. Your use of the information in this document or materials linked from this document is at your own risk. A10 Networks, Inc. reserves the right to change or update the information in this document at any time.