Mailing List Archive

question on CVE-2023-36760
PWEB server is running a version of Apache affected.

Our prod web server is running a version of the Apache affected by by CVE-2023-36760<https://nvd.nist.gov/vuln/detail/CVE-2022-36760>, which is a critical vulnerability affecting versions of Apache server <= 2.4.54<https://httpd.apache.org/security/vulnerabilities_24.html>. CVE-2023-36760 allows for potential HTTP request smuggling from the Apache server through the Apache JServ Protocol (AJP) to the application server.

How do I check whether AJP is being utilized to proxy requests from the WEB server to the APPlication server? Also does that mean that if our WEB server does not use AJP, then that means we shouldn't need to worry about this vulnerability and do not need to upgrade to the new Apache version, 2.4.55?

Please clarify.

Thank you,
Pashia
Re: question on CVE-2023-36760 [ In reply to ]
If you are not using "*Apache JServ Protocol (AJP)" *then the CVE does not
pertain to your Apache server.

On Mon, Feb 6, 2023 at 5:46 PM Thao, Pashia <pashia.thao@uwss.wisconsin.edu>
wrote:

> PWEB server is running a version of Apache affected.
>
>
>
> Our prod web server is running a version of the Apache affected by by
> CVE-2023-36760 <https://nvd.nist.gov/vuln/detail/CVE-2022-36760>, which
> is a critical vulnerability affecting versions of Apache server <= 2.4.54
> <https://httpd.apache.org/security/vulnerabilities_24.html>. *CVE-2023-36760
> allows for potential HTTP request smuggling from the Apache server through
> the Apache JServ Protocol (AJP) to the application server*.
>
>
>
> How do I check whether *AJP* is being utilized to proxy requests from the
> WEB server to the APPlication server? Also does that mean that if our WEB
> server does not use AJP, then that means we shouldn’t need to worry about
> this vulnerability and do not need to upgrade to the new Apache version,
> 2.4.55?
>
>
>
> Please clarify.
>
>
>
> Thank you,
>
> Pashia
>
>
>
RE: question on CVE-2023-36760 [ In reply to ]
Thank you for responding. I’m wondering though, how do I confirm it is using AJP or not using AJP for sure?

Thanks,
Pashia

From: Otis Dewitt - NOAA Affiliate <otis.dewitt@noaa.gov.INVALID>
Sent: Tuesday, February 7, 2023 9:46 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] question on CVE-2023-36760


*External Email: Use caution responding, opening attachments, or clicking on links.*
If you are not using "Apache JServ Protocol (AJP)" then the CVE does not pertain to your Apache server.

On Mon, Feb 6, 2023 at 5:46 PM Thao, Pashia <pashia.thao@uwss.wisconsin.edu<mailto:pashia.thao@uwss.wisconsin.edu>> wrote:
PWEB server is running a version of Apache affected.

Our prod web server is running a version of the Apache affected by by CVE-2023-36760<https://nvd.nist.gov/vuln/detail/CVE-2022-36760>, which is a critical vulnerability affecting versions of Apache server <= 2.4.54<https://httpd.apache.org/security/vulnerabilities_24.html>. CVE-2023-36760 allows for potential HTTP request smuggling from the Apache server through the Apache JServ Protocol (AJP) to the application server.

How do I check whether AJP is being utilized to proxy requests from the WEB server to the APPlication server? Also does that mean that if our WEB server does not use AJP, then that means we shouldn’t need to worry about this vulnerability and do not need to upgrade to the new Apache version, 2.4.55?

Please clarify.

Thank you,
Pashia
Re: question on CVE-2023-36760 [ In reply to ]
Well, what does your Proxy directive look like ? if it uses the ajp
protocol, then you use AJP, if it says https or something else, then you
don't use AJP.

ProxyPass "/app" "ajp://backend.example.com:8009/app" (you use ajp)
ProxyPass "/app" "https://backend.example.com:8009/app" (you don't use ajp)

see: https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html

:wq

Carsten




On Tue, Feb 07, 2023 at 03:53:29PM +0000, Thao, Pashia wrote:
> Thank you for responding. I’m wondering though, how do I confirm it is using AJP or not using AJP for sure?
>
> Thanks,
> Pashia
>
> From: Otis Dewitt - NOAA Affiliate <otis.dewitt@noaa.gov.INVALID>
> Sent: Tuesday, February 7, 2023 9:46 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] question on CVE-2023-36760
>
>
> *External Email: Use caution responding, opening attachments, or clicking on links.*
> If you are not using "Apache JServ Protocol (AJP)" then the CVE does not pertain to your Apache server.
>
> On Mon, Feb 6, 2023 at 5:46 PM Thao, Pashia <pashia.thao@uwss.wisconsin.edu<mailto:pashia.thao@uwss.wisconsin.edu>> wrote:
> PWEB server is running a version of Apache affected.
>
> Our prod web server is running a version of the Apache affected by by CVE-2023-36760<https://nvd.nist.gov/vuln/detail/CVE-2022-36760>, which is a critical vulnerability affecting versions of Apache server <= 2.4.54<https://httpd.apache.org/security/vulnerabilities_24.html>. CVE-2023-36760 allows for potential HTTP request smuggling from the Apache server through the Apache JServ Protocol (AJP) to the application server.
>
> How do I check whether AJP is being utilized to proxy requests from the WEB server to the APPlication server? Also does that mean that if our WEB server does not use AJP, then that means we shouldn’t need to worry about this vulnerability and do not need to upgrade to the new Apache version, 2.4.55?
>
> Please clarify.
>
> Thank you,
> Pashia
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org