Apache has released a new HTTP Server version to address two security flaws; CVE-2023-25690 and CVE-2023-27522. The vulnerabilities may allow an attacker to perform HTTP smuggling attacks on a vulnerable server. On successful exploitation, these vulnerabilities could result in information disclosure and enable attackers to execute further attacks.
The Apache HTTP Server, also called “httpd,” is an open-source, cross-platform web server software that supports both operating systems UNIX and Windows. It is a secure, efficient, and extensible server providing HTTP services that maintain current HTTP standards. Apache HTTP Server is one of the most extensively used web servers worldwide, as it empowers numerous websites and apps.
CVE-2023-25690: HTTP request splitting with mod_rewrite and mod_proxy
The vulnerability arises from an error in mod_proxy when enabled with some form of RewriteRule or ProxyPassMatch. A remote attacker could use this vulnerability to bypass proxy server access rules, proxying unwanted URLs to existing origin servers, and cache poisoning.
The advisory states, “Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request target using variable substitution.”
CVE-2023-27522: mod_proxy_uwsgi HTTP response splitting
The vulnerability exists due to an error in mod_proxy _uwsgi configurations that could allow a remote attacker to inject any HTTP header and force the server to send back a split response. This vulnerability may allow attackers to carry out other attacks, including Web cache poisoning or cross-site scripting, and obtain sensitive information.
The attack is carried out by adding special characters to the original response header, which can truncate or split the response forwarded to the client. Attackers can use this to insert their headers into the request, making the server produce a split response.
Apache HTTP Server versions 2.4.0 through 2.4.55
Apache HTTP Server versions from 2.4.30 through 2.4.55
Customers must upgrade to the Apache HTTP Server version 2.4.56 or later to patch the vulnerability.
Please refer to the Apache Security Advisory for more information.
Qualys customers can scan their devices with QIDs 730758 and 730765 to detect vulnerable assets. These QIDs check for vulnerable versions of the Apache HTTP Server by sending a GET request to a target and extracting the version from the response header.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.