Описание
Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.
A flaw was found in Apache httpd. The mod_proxy_wstunnel module tunnels non-upgraded connections.
Меры по смягчению последствий
Only configurations which use mod_proxy_wstunnel are affected by this flaw. It is also safe to comment-out the "LoadModule proxy_wstunnel_module ... " line in /etc/httpd/conf.modules.d/00-proxy.conf for configurations which do not rely on a websockets reverse proxy.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | httpd | Not affected | ||
| Red Hat Enterprise Linux 7 | httpd | Out of support scope | ||
| Red Hat Enterprise Linux 8 | httpd:2.4/httpd | Will not fix | ||
| Red Hat Enterprise Linux 9 | httpd | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | httpd22 | Out of support scope | ||
| Red Hat JBoss Enterprise Web Server 2 | httpd22 | Out of support scope | ||
| Red Hat Software Collections | httpd24-httpd | Will not fix | ||
| JBoss Core Services for RHEL 8 | jbcs-httpd24-apr | Fixed | RHSA-2021:4614 | 10.11.2021 |
| JBoss Core Services for RHEL 8 | jbcs-httpd24-apr-util | Fixed | RHSA-2021:4614 | 10.11.2021 |
| JBoss Core Services for RHEL 8 | jbcs-httpd24-curl | Fixed | RHSA-2021:4614 | 10.11.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.8 Medium
CVSS3
Связанные уязвимости
Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.
Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.
Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configu ...
Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.
EPSS
4.8 Medium
CVSS3