Apache 2.4.56 HTTP server release has been published, which introduces 6 changes and fixes 2 vulnerabilities related to the possibility of carrying out HTTP Request Smuggling attacks on front-end-backend systems that allow us to wedge into the content of requests from other users processed in the same thread between frontend and backend. The attack can be used to bypass access control systems or inject malicious JavaScript code into a session with a legitimate site.
The first vulnerability (CVE-2023-27522) affects the mod_proxy_uwsgi module and allows the proxy to split the response into two parts by substituting special characters in the HTTP header returned by the backend.
The second vulnerability (CVE-2023-25690) is present in mod_proxy and manifests itself when some request rewriting rules are used using the RewriteRule directive provided by the mod_rewrite module, or certain patterns in the ProxyPassMatch directive. The vulnerability could result in a proxy requesting internal resources that are not accessible through the proxy, or poisoning the contents of the cache. For the vulnerability to manifest, it is necessary that the data from the URL be used in the request rewrite rules, which are then substituted into the request sent further. For example: RewriteEngine on RewriteRule "^/here/(.*)" » http://example.com:8080/elsewhere?$1″ http://example.com:8080/elsewhere ; [P] ProxyPassReverse /here/ http://example.com:8080/ http://example.com:8080/
Non-security changes include:
- The "-T" flag has been added to the rotatelogs utility, which allows, when rotating logs, to truncate subsequent log files without truncating the initial log file.
- Mod_ldap allows negative values in the LDAPConnectionPoolTTL directive to configure the reuse of any old connections.
- In the mod_md module, used to automate the receipt and maintenance of certificates using the ACME (Automatic Certificate Management Environment) protocol, when built with libressl 3.5.0+, support for the digital signature scheme ED25519 and accounting for information in the public log of certificates (CT, Certificate Transparency) is included. The MDChallengeDns01 directive allows defining settings for individual domains.
- mod_proxy_uwsgi tightened up checking and parsing responses from HTTP backends.
Source: opennet.ru