This document describes Trellix's position relative to the support of a Trellix product or service.

Trellix response to Apache vulnerability CVE-2022-22721:

Overview
This document addresses concerns about ePolicy Orchestrator (ePO) and the Apache HTTP server vulnerability documented in CVE-2022-22721.

Description
CVE-2022-22721:
If LimitXMLRequestBody is set to allow request bodies larger than 350 MB (defaults to 1M) on 32-bit systems, an integer overflow happens, which later causes out-of-bound writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

Research and Conclusions
The ePO Engineering team has reviewed this CVE and determined that it isn't applicable to ePO. ePO doesn't explicitly use and set this directive LimitXMLRequestBody; so, the default applies, which isn't affected by this issue. Hence, ePO isn't vulnerable.