Certain mod_proxy Configurations on Versions of Apache HTTP Server Could Allow Unauthorized Access

Content

Priority: Medium

Status: Monitoring

 

First Published: 12 April, 2023

Advisory Version: 1.0

References: CVE-2023-25690

 

Summary

Certain mod_proxy configurations in versions 2.4.0 through 2.4.55 of Apache HTTP Server could allow unauthorized access via an "HTTP Request Smuggling attack". The official CVE entry describes these configurations:

"Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution ... Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning."
[CVE-2023-25690 - Mitre.org]

This vulnerability has since been fixed in version 2.4.56 (or later) of Apache HTTP Server.

Affected Products

Vulnerable Products

Hitachi Vantara is currently investigating its product lines to determine if any are affected by this vulnerability. If any products or solutions are found to be impacted, they will be indicated in this section, in subsequent updates to this advisory, along with information regarding fixed release versions (if such information is available at the time.) Likewise, any products or solutions that have been confirmed not to be affected by the given vulnerability will be listed in the section below.

Products Confirmed Not Vulnerable

* As this is an ongoing investigation across all Hitachi Vantara product lines, please note that products may be reclassified as vulnerable as they continue to be evaluated for risk.

Product Notes
Software
Hitachi Automation Director (HAD)
10.0.1-00 and v10.9.1-00
Not vulnerable
The implemented web server does not support the affected configurations.

 

Recommended Actions

Please continue to check this Security Advisory, as new information will be added to it as it becomes available.

 

If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.

NOTE: Any cited product documentation, including product-specific Alerts and Technical Bulletins, are available to Hitachi Vantara customers logged into Support Connect.

The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.

CXone Metadata

Tags: CVE,pagetype:knowledgearticle,article:cve

PageID: 172387

Solution Properties

Keywords
https://knowledge.hitachivantara.com/Security/mod_proxy_Apache
Solution ID
241403060172387
Last Modified Date
08/28/2024 12:12:19 PM
Attributes
Page Privacy and Permission Assignment
  • Page Privacy: Private
  • Page Level Permissions: Anonymous; Employee; Service Partner; Customer; IT; eServices
  • Article: cve
  • Pagetype: knowledgearticle
Taxonomy
  • Security Advisories > Advisories
Collections
  • Customer
  • Employee
  • Guest (Public)
  • Service Partner
Views
0