Power

 View Only

Please update httpd > httpd-2.4.56

  • 1.  Please update httpd > httpd-2.4.56

    Posted Fri March 10, 2023 09:21 AM

    Tenable is reporting these vulnerabilities in IBM httpd-2.4.55, please update to 2.4.56

    The version of Apache httpd installed on the remote host is prior to 2.4.56.
    It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.56 advisory.

    HTTP request splitting with mod_rewrite and mod_proxy: Some mod_proxy configurations on Apache HTTP Server     versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when     mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern     matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the     proxied request-target using variable substitution. For example, something like: RewriteEngine on     RewriteRule ^/here/(.*)  http://example.com:8080/elsewhere?$1 http://example.com:8080/elsewhere ; [P]     ProxyPassReverse /here/ http://example.com:8080/ http://example.com:8080/ Request splitting/smuggling     could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin     servers, and cache poisoning. Acknowledgements: finder: Lars Krapf of Adobe (CVE-2023-25690)

    Solution

    Upgrade to Apache version 2.4.56 or later.


    ------------------------------
    De Quan Qu
    ------------------------------