Security

Mitigation Instructions for CVE-2023-25690 and CVE-2023-27522

Written by CyRisk Vulnerability Management Team | Feb 27, 2024 4:55:46 PM

SUBJECT: Urgent Security Update: Apache HTTP Server Vulnerabilities Mitigation

TECH STACK: Apache HTTP Server

DATE(S) ISSUED: 03/07/2023

NVD LAST MODIFIED: 10/21/2023

CRITICALITY: CRITICAL

OVERVIEW: This advisory communicates essential steps to mitigate multiple critical vulnerabilities identified in Apache HTTP Server versions prior to 2.4.56. Notably, these vulnerabilities pertain to HTTP request splitting and HTTP response splitting, potentially leading to HTTP Request Smuggling attacks and HTTP Response Smuggling vulnerabilities, respectively. Immediate action is required to upgrade Apache HTTP Server installations to version 2.4.56 or later to address these security concerns.

VULNERABILITY DETAILS:

  1. CVE-2023-25690: Concerns a vulnerability with mod_proxy and mod_rewrite where specific configurations allow HTTP Request Smuggling attacks. Attackers can exploit non-specific pattern matches in rewrite rules or ProxyPassMatch directives to inject requests, leading to access control bypass, unintended URL proxying, and cache poisoning.

  2. CVE-2023-27522: Involves a vulnerability in mod_proxy_uwsgi that allows HTTP Response Smuggling. Special characters in the origin response header can truncate or split the response, affecting versions 2.4.30 through 2.4.55.

SOLUTION/MITIGATION:

  • Immediate Upgrade Required: Update to Apache HTTP Server version 2.4.56 or later to remedy these vulnerabilities and reinforce server security.

ADDITIONAL INFORMATION:

  • Severity: Classified as critical, with a CVSS v3 base score of 9.8, indicating a significant risk of exploitability.
  • Exploit Availability: Yes. Known exploits are available, underscoring the importance of swift action.
  • Patch Publication Date: 03/07/2023

VERIFICATION:

  • After upgrading, verify the current version of Apache HTTP Server to ensure it is 2.4.56 or later.
  • Review server configurations, especially related to mod_proxy, mod_rewrite, and mod_proxy_uwsgi, for compliance with security best practices.

REFERENCES:

  • CVE-2023-25690 & CVE-2023-27522: For detailed vulnerability information.
  • Apache HTTP Server Advisory: Consult the Apache 2.4.56 advisory for comprehensive guidance on addressing these issues.

ACTION ITEMS:

  1. Perform an inventory check for Apache HTTP Server instances running versions prior to 2.4.56.
  2. Schedule and execute upgrades to version 2.4.56 or newer.
  3. Conduct a review of current configurations for mod_proxy, mod_rewrite, and mod_proxy_uwsgi to identify and rectify potential vulnerabilities.
  4. Continue monitoring for any further advisories or patches from Apache.

Prompt attention to these vulnerabilities is paramount to maintaining the integrity and security of your web server infrastructure.