Skip to content

OSG-SEC-2023-04-05 HIGH Apache HTTP request splitting

Dear OSG Security Contacts,

A security vulnerability in the Apache web server was recently announced involving HTTP request splitting with mod_rewrite and mod_proxy (CVE-2023-25690). The bug is only present when certain configuration options are in place, but the potential impact to affected systems is severe.[1]

IMPACTED VERSIONS:

Apache HTTP Server 2.4.0 - 2.4.55

WHAT ARE THE VULNERABILITIES:

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. [2]

For example, something like:

RewriteEngine on

RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]

ProxyPassReverse /here/ http://example.com:8080/

Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning.

WHAT YOU SHOULD DO:

If your Apache web servers have mod_proxy enabled, and your configuration makes use of the RewriteRule or ProxyPassReverse options, you should install the updated Apache web server packages when they are available for your systems and restart the Apache web server.

All Linux systems running Apache HTTP server 2.4.0 - 2.4.55 are affected by this vulnerability. RHEL7 has updated packages available.[3] Updated packages for RHEL8, 9 are not yet available, but should be within a few days.

Availability of updated packages for other RHEL based distributions like CentOS, Scientific Linux, Rocky Linux, AlmaLinux may lag behind Red Hat's updates. See [4][5][6] for their availability.

For Debian based distributions like Ubuntu see [7][8] for updates.

REFERENCES

[1] https://access.redhat.com/security/cve/CVE-2023-25690

[2] https://httpd.apache.org/security/vulnerabilities_24.html

[3] https://access.redhat.com/errata/RHSA-2023:1593

[4] https://errata.rockylinux.org/

[5] https://errata.almalinux.org/

[6] https://www.scientificlinux.org/category/sl-errata/

[7] https://security-tracker.debian.org/tracker/CVE-2023-25690

[8] https://ubuntu.com/security/CVE-2023-25690

Please contact the OSG security team at [email protected] if you have any questions or concerns. OSG Security Team