Cve apache 2.4.37

Hello, I currently have Apache 2.4.37 and I got the following CVEs:

Apache 2.4.x < 2.4.41 Multiple Vulnerabilities:
CVE-2019-10092: Denial of Service (DoS) issue.
CVE-2019-10098: Vulnerability in mod_rewrite.
Apache 2.4.x < 2.4.46 Multiple Vulnerabilities:
CVE-2020-9490: Denial of Service issue related to header processing.
CVE-2020-11993: Issue in handling HTTP/2 requests.
Apache 2.4.x < 2.4.52 Forward Proxy DoS / SSRF:
CVE-2021-44224: Issue related to SSRF in proxy configuration.
Apache 2.4.x < 2.4.53 Multiple Vulnerabilities:
CVE-2022-22721: Security flaw in mod_sed.
CVE-2022-23943: Authentication and authorization vulnerability.
Apache 2.4.x < 2.4.58 Out-of-Bounds Read (CVE-2023-31122):
CVE-2023-31122: Out-of-bounds read, which may allow denial of service attacks or information disclosure.
OpenSSL 1.1.1 < 1.1.1l Multiple Vulnerabilities:
CVE-2021-3449: Denial of service issue.
CVE-2021-3450: Certificate verification error.

Do you know if the CVEs mentioned are addressed in the version of Apache that I have?

You don’t have “Apache 2.4.37”. You have – if you do have Rocky 8’s httpd package – the RHEL 8’s fork of httpd, originally based on upstream 2.4.37.
It has backports. See What is backporting and how does it affect Red Hat Enterprise Linux? - Red Hat Customer Portal

You can run rpm -q --changelog httpd and read what CVE are mentioned.

1 Like

So, would you understand that the CVEs mentioned would be resolved?

Run the command @jlehtone mentioned and grep for the CVE’s your are looking for. Example:

rpm -q --changelog httpd| grep CVE-2019-10098
- Resolves: #1747284 - CVE-2019-10098 httpd:2.4/httpd: mod_rewrite potential