We're running a CA Access Gateway (SPS) and we'd like to know how to
prevent it from the following vulnerabilities :
A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
When trace/debug was enabled for the HTTP/2 module and on certain traffic edge pattern
We noted that SPS runs Apache 2.4.43 :
Defects Fixed in 12.8.04
20068805, 31819372, 20243712, 31789696, 31790096, 31799363, 31821485
DE432477, DE444233, DE451026, DE451486 Apache is upgraded to Apache
2.4.43, OpenSSL is upgraded to OpenSSL 1.0.2u, and Tomcat is
upgraded to 7.0.104.
How can we fix this ?
At first glance, these vulnerabilities are present when the Apache
uses mod_http2 or mod_proxy_uwsgi. Out of the box, CA Access Gateway
(SPS) 12.8 doesn't load these module as per documentation :
Review Embedded Servers for Vulnerabilities
As such, the CA Access Gateway (SPS) 12.8SP4 is not vulnerable to the
3 vulnerabilities mentioned.