Описание
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2.
Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
An assertion failure flaw was found in Apache httpd. Untrusted clients can send inputs that trigger an assertion failure in the mod_proxy_http2 module, which likely results in an Apache HTTP server crash or denial of service (DoS).
Отчет
The vulnerability only affects Appache httpd if a reverse proxy is configured for an HTTP/2 backend, with the ProxyPreserveHost set to "on". This vulnerability is rated as Moderate because it requires a highly specific and non-default configuration to be exploitable—namely, an Apache HTTP Server acting as a reverse proxy with an HTTP/2 backend and ProxyPreserveHost set to "on". The flaw results in an assertion failure in the mod_proxy_http2 module when handling specially crafted inputs from untrusted clients. While this can lead to a denial of service via server crash, the impact is limited to availability, with no risk of remote code execution or data leakage. Additionally, the condition is recoverable through a simple restart, and there is no persistent state corruption.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
Платформа | Пакет | Состояние | Рекомендация | Релиз |
---|---|---|---|---|
Red Hat Enterprise Linux 10 | httpd | Affected | ||
Red Hat Enterprise Linux 10 | mod_http2 | Affected | ||
Red Hat Enterprise Linux 6 | httpd | Not affected | ||
Red Hat Enterprise Linux 7 | httpd | Not affected | ||
Red Hat Enterprise Linux 8 | httpd:2.4/httpd | Not affected | ||
Red Hat Enterprise Linux 8 | httpd:2.4/mod_http2 | Affected | ||
Red Hat Enterprise Linux 9 | httpd | Affected | ||
Red Hat Enterprise Linux 9 | mod_http2 | Affected | ||
Red Hat JBoss Core Services | httpd | Affected | ||
Red Hat JBoss Core Services | jbcs-httpd24-httpd | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
In certain proxy configurations, a denial of service attack againstApa ...
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
EPSS
7.5 High
CVSS3