Apache HTTP Server: IAVA NOTICE 2023-A-0124/ CVE-2023-27522 CVE-2023-25690
Article ID: 263478
Updated On:
Products
Network Observability
Issue/Introduction
We are being asked to verify when this vulnerability will be addressed in an upgrade?
Plugin: 172186
Plugin Output:
Path : /opt/spectrum/apache/bin/httpd
Installed version : 2.4.53
Fixed version : 2.4.56
| Information Assurance Vulnerability Alert 2023-A-0124 Clicking certain links on this page may open sites outside of the IAVM system! |
||||||||||||||||||
|
| Timeline Summary: |
|
| Revision History: |
|
| Superseded By: | N/A |
| Supersedes: |
2023-A-0047
|
| Known Exploits: | No |
| Known DoD Incidents: | No |
| Executive Summary: |
The Apache Foundation has addressed multiple vulnerabilities affecting Apache HTTP Server. The Apache HTTP Server is a free and open-source cross-platform web server software. If exploited, these vulnerabilities could allow a remote attacker to send malicious HTTP request into the affected application and bypass security restrictions.
At this time, there are no known exploits associated with these vulnerabilities. JFHQ-DODIN is not aware of any DoD-related incidents. |
| Technical Overview: |
CVE-2023-27522:
The vulnerability exists due to software does not correclty process CRLF character sequences in mod_rewrite and mod_proxy. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response. CVE-2023-25690:
The vulnerability exists due to software does not correclty process CRLF character sequences in mod_rewrite and mod_proxy. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response. |
Environment
Release : 22.2
Resolution
Apache HTTP will be updated to 2.4.56 in Spectrum 22.2.8.
Apache HTTP is only used when employing Mode Security and is not enabled by default. If not being used the httpd binary can safely
be renamed or deleted from the OneClick system.
Feedback
Yes
No
Powered by
