Apache HTTP Server 2.4 Vulnerabilities: CVE-2024-24795, CVE-2024-27316, and CVE-2023-38709
Priority: ● Medium
Status: Undergoing Analysis
First Published: 16 April, 2024
Advisory Version: 1.0
References: CVE-2024-24795, CVE-2024-27316, CVE-2023-38709
Summary
CVE-2024-24795: An attacker could inject malicious response headers via HTTP response splitting, with previous versions of Apache HTTP Server v2.4. This could subsequently enable the attacker to perform further exploits and possibly obtain sensitive information. The Apache Foundation currently has a risk assessment of "low" for this CVE.
CVE-2024-27316: An attacker could cause memory exhaustion and a subsequent DoS by sending a continuous stream of HTTP/2 headers, with previous versions of Apache HTTP Server v2.4. The Apache Foundation currently has a risk assessment of "moderate" for this CVE.
CVE-2023-38709: Faulty input validation in the core of Apache could allow malicious or exploitable backend/content generators to split HTTP responses. As with CVE-2024-24795, this could subsequently enable the attacker to perform further exploits and possibly obtain sensitive information. The Apache Foundation currently has a risk assessment of "moderate" for this CVE.
All three of the above CVEs have been fixed in Apache HTTP Server 2.4.59.
Affected Products
Vulnerable Products
Hitachi Vantara is currently investigating its product lines to determine if any are affected by these vulnerabilities. If any products or solutions are found to be impacted, they will be indicated in this section, in subsequent updates to this advisory, along with information regarding fixed release versions (if such information is available at the time.) Likewise, any products or solutions that have been confirmed not to be affected by the given vulnerability will be listed in the section below.
NOTE: Cited product documentation, including product-specific Alerts and Technical Bulletins, are available to Hitachi Vantara customers logged into Support Connect.
Products Confirmed Not Vulnerable
* As this is an ongoing investigation across all Hitachi Vantara product lines, please note that products may be reclassified as vulnerable as they continue to be evaluated for risk as additional information about these vulnerabilities are released.
| Product | Notes |
| Storage Products |
| Hitachi Virtual Storage Platform VSP E990, VSP E790, VSP E590 |
CVE-2024-24795: Not vulnerable. Affected Apache component, "Insert Response Header", is not implemented. CVE-2024-27316: Not vulnerable. The HTTP/2 protocol is not implemented. CVE-2023-38709: Not vulnerable. Affected Apache component, "Backend/Content Generator", is not implemented. |
| Hitachi Virtual Storage Platform VSP G130, F/G350, VSP F/G370, VSP F/G700, VSP F/G900 |
CVE-2024-24795: Not vulnerable. Affected Apache component, "Insert Response Header", is not implemented. CVE-2024-27316: Not vulnerable. The HTTP/2 protocol is not implemented. CVE-2023-38709: Not vulnerable. Affected Apache component, "Backend/Content Generator", is not implemented. |
| Hitachi Virtual Storage Platform VSP G200, VSP F/G/N400, VSP F/G/N600, VSP F/G/N800 |
CVE-2024-24795: Not vulnerable. Affected Apache component, "Insert Response Header", is not implemented. CVE-2024-27316: Not vulnerable. The HTTP/2 protocol is not implemented. CVE-2023-38709: Not vulnerable. Affected Apache component, "Backend/Content Generator", is not implemented. |
| Hitachi Virtual Storage Platform VSP 5100, VSP 5100H, VSP 5500, VSP 5500H (VSP 5x00) RAID 900 |
CVE-2024-24795: Not vulnerable. Affected Apache component, "Insert Response Header", is not implemented. CVE-2024-27316: Not vulnerable. The HTTP/2 protocol is not implemented. CVE-2023-38709: Not vulnerable. Affected Apache component, "Backend/Content Generator", is not implemented. |
| Hitachi Virtual Storage Platform VSP 5200, VSP 5200H, VSP 5600, VSP 5600H (VSP 5x00) RAID 900 |
CVE-2024-24795: Not vulnerable. Affected Apache component, "Insert Response Header", is not implemented. CVE-2024-27316: Not vulnerable. The HTTP/2 protocol is not implemented. CVE-2023-38709: Not vulnerable. Affected Apache component, "Backend/Content Generator", is not implemented. |
| Hitachi Virtual Storage Platform G1000, F/G1500 (VSP F/G1x00) RAID 800 |
CVE-2024-24795: Not vulnerable. Affected Apache component, "Insert Response Header", is not implemented. CVE-2024-27316: Not vulnerable. The HTTP/2 protocol is not implemented. CVE-2023-38709: Not vulnerable. Affected Apache component, "Backend/Content Generator", is not implemented. |
| Hitachi Virtual Storage Platform (VSP) RAID 700 |
CVE-2024-24795: Not vulnerable. Affected Apache component, "Insert Response Header", is not implemented. CVE-2024-27316: Not vulnerable. The HTTP/2 protocol is not implemented. CVE-2023-38709: Not vulnerable. Affected Apache component, "Backend/Content Generator", is not implemented. |
| Hitachi Unified Storage VM (HUS VM) HM700 |
CVE-2024-24795: Not vulnerable. Affected Apache component, "Insert Response Header", is not implemented. CVE-2024-27316: Not vulnerable. The HTTP/2 protocol is not implemented. CVE-2023-38709: Not vulnerable. Affected Apache component, "Backend/Content Generator", is not implemented. |
| Software Products |
| Hitachi Virtual Storage System Block (VSSB) | CVE-2024-24795, CVE-2024-27316, and CVE-2023-38709: Not vulnerable. Apache2 is not implemented. |
| Hitachi Remote Ops | CVE-2024-24795, CVE-2024-27316, and CVE-2023-38709: Not vulnerable. Apache2 is not implemented. |
| Content Products | |
| Hitachi Data Ingestor (HDI/HFSM) |
CVE-2024-24795: Not vulnerable. HFSM does not have the function to run external content (backend applications) on the web server and therefore does not meet the conditions for this issue to occur. CVE-2024-27316: Not vulnerable. The HTTP/2 protocol is not implemented CVE-2023-38709: Not vulnerable. HFSM does not have the ability to run external content (malicious or exploitable backend/content generators) on its web servers and therefore does not meet the conditions for this issue to occur. |
Recommended Actions
Please continue to check this Security Advisory, as new information will be added to it as it becomes available.
If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.
The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.