Apache HTTP Server: IAVA NOTICE 2023-A-0124/ CVE-2023-27522 CVE-2023-25690
search cancel

Apache HTTP Server: IAVA NOTICE 2023-A-0124/ CVE-2023-27522 CVE-2023-25690

book

Article ID: 263478

calendar_today

Updated On: 10-23-2023

Products

Network Observability

Issue/Introduction


We are being asked to verify when this vulnerability will be addressed in an upgrade? 

Plugin: 172186
Plugin Output:
Path : /opt/spectrum/apache/bin/httpd
  Installed version : 2.4.53
  Fixed version     : 2.4.56

 

Information Assurance Vulnerability Alert

2023-A-0124

Clicking certain links on this page may open sites outside of the IAVM system!
Title: Multiple Vulnerabilities in Apache HTTP Server
Notice Number: 2023-A-0124
Revision Number:  
 
References:
 
STIG Finding Severity: CAT I
 
CVEs:
 
BIDs:
135560, 135582, 

 

Timeline Summary:
Release Date Acknowledge Date First Report Date POA&M Mitigation Date
09 Mar 2023 14 Mar 2023 20 Mar 2023 30 Mar 2023

 

Revision History:
Revision Number Major Revision Date Major Revision Details Minor Revision Date Minor Revision Details
0.0 09 Mar 2023 Initial Release    

 

Superseded By: N/A
Supersedes:
2023-A-0047  
Known Exploits: No
Known DoD Incidents: No
 
Executive Summary:
The Apache Foundation has addressed multiple vulnerabilities affecting Apache HTTP Server. The Apache HTTP Server is a free and open-source cross-platform web server software. If exploited, these vulnerabilities could allow a remote attacker to send malicious HTTP request into the affected application and bypass security restrictions.

At this time, there are no known exploits associated with these vulnerabilities. JFHQ-DODIN is not aware of any DoD-related incidents.
 
Technical Overview:
CVE-2023-27522:
The vulnerability exists due to software does not correclty process CRLF character sequences in mod_rewrite and mod_proxy. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.

CVE-2023-25690:
The vulnerability exists due to software does not correclty process CRLF character sequences in mod_rewrite and mod_proxy. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.

Environment

Release : 22.2

Resolution


Apache HTTP will be updated to 2.4.56 in Spectrum 22.2.8.


Apache HTTP is only used when employing Mode Security and is not enabled by default. If not being used the httpd binary can safely
   be renamed or deleted from the OneClick system.