Security

Mitigation Instructions for CVE-2023-25690

Written by CyRisk Vulnerability Management Team | Jun 13, 2023 3:39:43 PM

SUBJECT: CVE-2023-25690 HTTP Request Smuggling attack

TECH STACK: Apache HTTP Server versions 2.4.0 through 2.4.55

DATE(S) ISSUED: 03/07/2023

NVD Last Modified: 04/24/2023

CRITICALITY: CRITICAL 

OVERVIEW:  

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. 

SOLUTION:

To mitigate this vulnerability, it is recommended to update the Apache HTTP Server to at least version 2.4.56. This update addresses the issue and helps protect against potential attacks.

REFERENCES:

National Vulnerability Database (NVD):

Red Hat Security Advisory:

IBM Support: