The solution is thus to update the mod_http2 – if you do use it – and use the mitigations mentioned in the RHSAs (if necessary) until Red Hat (and then Rocky) releases fixes for the other two CVE.
Hello,
Thank you for the clarification, and I’d like to take this opportunity to ask for some help if possible. I’m facing a similar situation after a black box cyber assessment. The following CVEs were reported. If you have any suggestions, I would greatly appreciate it.
@suraydan you can use dnf commands grepping the changelog for the CVE’s:
root@rocky9:~# dnf changelog httpd | egrep "36387|38472|38473|39474|38475|38476|38477|39573"
response headers are malicious or exploitable (CVE-2024-38476)
mod_proxy (CVE-2024-38473)
mod_proxy (CVE-2024-38477)
- Resolves: RHEL-45749 - httpd: Potential SSRF in mod_rewrite (CVE-2024-39573)
mod_rewrite (CVE-2024-38475)
as an example just picking parts of the CVE’s you listed above and you can see that it shows that some of them have been fixed. Otherwise, you can simply google the CVE number and RHEL9 and see what RHEL have done in relation to fixing it or whether RHEL have checked and found no problem for that particular CVE.
In fact, even googling CVE-2024-38474 it was enough to find this RHEL article which answers your question: https://access.redhat.com/solutions/7078219 which I’m guessing you didn’t do this since you asked here.
Thank you again for your quick response and help. I will follow your guidance. Great work, and congratulations on the help you’ve been providing on the forum.
Sorry about the confusion. I didn’t clarify my question. My question is that if mod_http2 package in Rocky Linux 9.4 - “2.0.26-2.el9_4 (lastest package)” has backporting fixes for these two CVEs - CVE-2023-45802 and CVE-2023-43622? I have this question because when I ran following command under Rocky Linux 9.4, I couldn’t find fixes for these two CVE. Following is the command I ran and result I got:
rpm -q --changelog mod_http2
* Fri Apr 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.0.26-2
- Resolves: RHEL-31855 - mod_http2: httpd: CONTINUATION frames
DoS (CVE-2024-27316)
* Thu Jan 18 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.0.26-1
- Resolves: RHEL-14691 - mod_http2 rebase to 2.0.26
* Wed Aug 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 1.15.19-5
- Resolves: #2177753 - CVE-2023-25690 httpd: HTTP request splitting with
mod_rewrite and mod_proxy
* Mon Dec 05 2022 Luboš Uhliarik <luhliari@redhat.com> - 1.15.19-4
- Resolves: #2143176 - Dependency from mod_http2 on httpd broken
Looks like it imprts mod_http2-2.0.26-1.el9 from RedHat. Thus the latest mod_http2-2.0.26-2.el9 should have already fixed CVE-2023-45802 and CVE-2023-43622 in https://issues.redhat.com/browse/RHEL-14691
As from the link I already posted, if you had actually opened that link and saw that it mentions it fixes it for RHEL9, you would have found this link: https://access.redhat.com/errata/RHSA-2024:2368
Which says it’s fixed in the version you mentioned above for the CVE’s that you mentioned - I guess they just didn’t include the errata message to say it else it would have appeared in the changelog. If you had read that link you would have seen that the problem has been addressed.
Remember google is your friend, use it before posting - we are not here to google for you.