CVE-2022-41556: 
NixOS vulnerability analysis and mitigation

CVE-2022-41556 is a resource leak vulnerability discovered in lighttpd versions 1.4.56 through 1.4.66, specifically in the gwbackend.c component. The vulnerability was disclosed on October 6, 2022, and affects the lighttpd web server. The issue could lead to a denial of service condition through connection-slot exhaustion after a large amount of anomalous TCP behavior by clients, particularly related to RDHUP mishandling in certain HTTP/1.1 chunked situations. The vulnerability notably affects configurations using modfastcgi (NVD, Ubuntu).

The vulnerability stems from improper handling of RDHUP (Remote hangup) events when collecting HTTP/1.1 chunked request bodies, particularly when not streaming request body to backend. The issue manifests in the gw_backend.c file and can result in connection slots becoming exhausted. The CVSS 3.1 base score for this vulnerability is 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and high impact on availability (Ubuntu).

The primary impact of this vulnerability is a denial of service condition through connection-slot exhaustion. When exploited, the vulnerability can lead to the server running out of available connection slots, preventing legitimate users from establishing new connections to the web server. This is particularly severe in environments with long-lived connections or high traffic volumes (Rapid7).

The vulnerability has been fixed in lighttpd version 1.4.67. Organizations running affected versions should upgrade to version 1.4.67 or later to address this security issue. No effective workarounds are available for this vulnerability, making the upgrade the only reliable solution (Gentoo).