Mitigation Instructions for CVE-2023-25690

SUBJECT: CVE-2023-25690 HTTP Request Smuggling attack

TECH STACK: Apache HTTP Server versions 2.4.0 through 2.4.55

DATE(S) ISSUED: 03/07/2023

NVD Last Modified: 04/24/2023

CRITICALITY: CRITICAL 

OVERVIEW:  

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. 

SOLUTION:

To mitigate this vulnerability, it is recommended to update the Apache HTTP Server to at least version 2.4.56. This update addresses the issue and helps protect against potential attacks.

REFERENCES:

National Vulnerability Database (NVD):

• Title: CVE-2023-25690
• URL: https://nvd.nist.gov/vuln/detail/CVE-2023-25690

Red Hat Security Advisory:

• Title: CVE-2023-25690
• URL: https://access.redhat.com/security/cve/cve-2023-25690

IBM Support:

• Title: Security Bulletin: IBM HTTP Server vulnerable to HTTP request splitting due to included Apache HTTP Server (CVE-2023-25690)
• URL: https://www.ibm.com/support/pages/security-bulletin-ibm-http-server-vulnerable-http-request-splitting-due-included-apache-http-server-cve-2023-25690