How to upgrade apche http to 2.4.62 to remediate vulnerabilties

Rocky Linux Help & Support
1

Hi,

below are the vulnerabilities reported on Rocky linux 8 for apache http

CVE ID: CVE-2023-25690 Kenna Status: * open
Description: Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule “^/here/(.*)” http://example.com:8080/elsewhere?$1; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
CVE ID: CVE-2024-38475 Kenna Status: * open
Description: Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are?permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in?server context that use a backreferences or variables as the first segment of the substitution are affected.? Some unsafe RewiteRules will be broken by this change and the rewrite flag “UnsafePrefixStat” can be used to opt back in once ensuring the substitution is appropriately constrained.

could you please let us know the procedure/steps to upgrade http to 2.4.62

Thanks in advance.

2

You don’t.

CVE-2024-38475

* Thu Jul 11 2024 LuboĹĄ Uhliarik <luhliari@redhat.com> - 2.4.37-65.1
- Resolves: RHEL-45812 - httpd:2.4/httpd: Substitution encoding issue
  in mod_rewrite (CVE-2024-38474)
- Resolves: RHEL-45785 - httpd:2.4/httpd: Encoding problem in
  mod_proxy (CVE-2024-38473)
- Resolves: RHEL-45777 - httpd:2.4/httpd: Improper escaping of output
  in mod_rewrite (CVE-2024-38475)
- Resolves: RHEL-45758 - httpd:2.4/httpd: null pointer dereference
  in mod_proxy (CVE-2024-38477)
- Resolves: RHEL-45743 - httpd:2.4/httpd: Potential SSRF
  in mod_rewrite (CVE-2024-39573)

CVE-2023-25690

Already fixed.

* Thu Apr 27 2023 LuboĹĄ Uhliarik <luhliari@redhat.com> - 2.4.37-56.5
- Resolves: #2190133 - mod_rewrite regression with CVE-2023-25690

* Sat Mar 18 2023 LuboĹĄ Uhliarik <luhliari@redhat.com> - 2.4.37-56.4
- Resolves: #2177748 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting
  with mod_rewrite and mod_proxy

These are already fixed. Please ensure you are running at least httpd-2.4.37-65.module+el8.10.0+1840+b070a976.1. Notify the vendor who makes this “vulnerability scanner” that they are already fixed and security issues are backported.

1 Like
3

CVE-2023-25690 is already patched:

- Resolves: #2190133 - mod_rewrite regression with CVE-2023-25690
- Resolves: #2177748 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting

CVE-2024-38475 appears to also have been patched:

Resolves: RHEL-45777 - httpd:2.4/httpd: Improper escaping of output
  in mod_rewrite (CVE-2024-38475)

Please explore backporting here The version of apache does not tell the whole story. You can find backport patches with:

sudo rpm -q --changelog httpd | grep CVE number

Make sure that your system is fully upgraded too: sudo dnf upgrade, just to make sure you have the latest of any affected packages.

Thanks,
Steve

4

Hi,

Excellent!!! Thank you very much for the information. that means these are already fixed on our machine. no need to take any action on this right. please correct me i am wrong.

Below are the findings on our machine.

$ dnf list httpd
Last metadata expiration check: 0:03:38 ago on Fri 17 Jan 2025 10:22:23 AM UTC.
Installed Packages
httpd.x86_64 2.4.37-65.module+el8.10.0+1842+4a9649e8.2 @appstream

$ rpm -q --changelog httpd |grep ‘CVE-2024-38475’
in mod_rewrite (CVE-2024-38475)
$ rpm -q --changelog httpd |grep ‘CVE-2024-38474’

  • Resolves: RHEL-53022 - Regression introduced by CVE-2024-38474 fix
    in mod_rewrite (CVE-2024-38474)
    $ rpm -q --changelog httpd |grep ‘CVE-2024-38473’
    mod_proxy (CVE-2024-38473)
    $ rpm -q --changelog httpd |grep ‘CVE-2024-38475’
    in mod_rewrite (CVE-2024-38475)
    $ rpm -q --changelog httpd |grep ‘CVE-2024-38477’
    in mod_proxy (CVE-2024-38477)
    $ rpm -q --changelog httpd |grep ‘CVE-2024-39573’
    in mod_rewrite (CVE-2024-39573)
    $ rpm -q --changelog httpd |grep ‘CVE-2023-25690’
  • Resolves: #2190133 - mod_rewrite regression with CVE-2023-25690
  • Resolves: #2177748 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting

if all these are already fixed then why scanner is catching these apache parameters and asking to update to latest 2.4.6x.

Thank you.

5

Can be a number of reasons:

  1. Scanner doesn’t have SSH access to the server to be able to login and verify that it has been fixed.
  2. Scanner thinks the older version number is a security risk and gives a false positive due to lack of information.
  3. The scanner you have relies solely on version number alone which means the scanner is rubbish. In which case, get a better scanner.

Since you can see it has been fixed by the CVE’s that have been applied then it shows your scanner is the problem here.

6

Ok, Thank You.

Let me reply them with proper information about this fix. let us see what they say.

will keep posted here.

Thank You once again.

1 Like