Описание
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption.
Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
An access control bypass vulnerability was found in Apache httpd. The Apache HTTP Server with some mod_ssl configurations can bypass the access controls by trusted clients using TLS 1.3 session resumption. A client trusted to access one virtual host may be able to access another if SSLStrictSNIVHostCheck is not enabled on either host.
Отчет
Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates. For example, with a different SSLCACertificateFile/Path setting. This vulnerability is rated Moderate rather than Important due to the specific and uncommon configuration prerequisites needed for exploitation. The flaw allows a trusted client—one already holding valid client certificates for one virtual host—to potentially bypass access controls and access another virtual host by leveraging TLS 1.3 session resumption, only if the SSLStrictSNIVHostCheck directive is not enabled on either host. This bypass is not a general remote access issue, nor does it allow an unauthenticated or untrusted attacker to gain access. Furthermore, affected systems are those with complex, multi-tenant SSL client auth setups, which are relatively rare.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | httpd | Affected | ||
| Red Hat Enterprise Linux 6 | httpd | Not affected | ||
| Red Hat Enterprise Linux 7 | httpd | Not affected | ||
| Red Hat Enterprise Linux 8 | httpd:2.4/httpd | Affected | ||
| Red Hat Enterprise Linux 9 | httpd | Affected | ||
| JBoss Core Services for RHEL 8 | jbcs-httpd24-httpd | Fixed | RHSA-2025:13680 | 14.08.2025 |
| JBoss Core Services for RHEL 8 | jbcs-httpd24-mod_http2 | Fixed | RHSA-2025:13680 | 14.08.2025 |
| JBoss Core Services for RHEL 8 | jbcs-httpd24-mod_jk | Fixed | RHSA-2025:13680 | 14.08.2025 |
| JBoss Core Services for RHEL 8 | jbcs-httpd24-mod_md | Fixed | RHSA-2025:13680 | 14.08.2025 |
| JBoss Core Services for RHEL 8 | jbcs-httpd24-mod_proxy_cluster | Fixed | RHSA-2025:13680 | 14.08.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to ...
EPSS
7.5 High
CVSS3