A critical CVE was noted regarding LUA.
Wondering if this relates to OOD’s usage of LUA.
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Thanks for the heads up! We don’t use
r:parsebody() (or deal with the body of requests) so it doesn’t look like it affects us.
Though, you won’t be able to disable the lua module because we do rely on. So sites will have to checkout what other apps/sites that they’re running behind the same apache.
our security folks are not satisfied with your answer and are concerned about OOD’s vulnerability to this CVE. Would you mind providing some more detail about this?
The attack vector is to send a request and when some lua code hits
r:parsebody() get a buffer overflow.
We don’t use that API
Here’s an example of where we use
parseargs(), but this CVE is directly related to the function
parsebody() which we do not invoke.
local user = user_map.map(r, user_map_match, user_map_cmd, user_env and r.subprocess_env[user_env] or r.user)
if not user then
if map_fail_uri then
return http.http302(r, map_fail_uri .. "?redir=" .. r:escape(r.unparsed_uri))
return http.http404(r, "failed to map user (" .. r.user .. ")")
-- grab "redir" query param
local GET, GETMULTI = r:parseargs()
local redir = GET['redir']
-- grab task specified in nginx URI request
local task = r.uri:match("^" .. nginx_uri .. "/([^/]+)$")
-- generate shell command from requested task
-- please see `nginx_stage` documentation for explanation of shell command
local err = nil
if task == "init" then
-- initialize app based on "redir" param (require a valid redir parameter)
As I write this - I can see that we don’t invoke it directly but could invoke it indirectly (maybe parseargs calls parsebody). Shoot, well looks like I’ve got to look into this a bit more.
I can find no other reference to this function other than it’s definition. Meaning any other function like
parseargs doesn’t then call
So we don’t call it directly and I don’t believe we’re calling it indirectly either.
or a more liberal search.
I also pulled the code to the tag we use and just grepped for it to.
Thanks Jeff. From looking at the source (
httpd/modules/lua/lua_request.c), the req_parseargs() is relatively simple and does not call req_parsebody(), which is more complex (buffer allocations, etc), so, it does look like OOD is unaffected by this CVE.