Anolis OS update for httpd:2.4 module
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2023-25690 CVE-2022-28615 CVE-2022-30522 CVE-2022-36760 CVE-2022-37436 |
| CWE-ID | CWE-113 CWE-125 CWE-400 CWE-444 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system httpd-manual Operating systems & Components / Operating system package or component httpd-filesystem Operating systems & Components / Operating system package or component mod_ssl Operating systems & Components / Operating system package or component mod_session Operating systems & Components / Operating system package or component mod_proxy_html Operating systems & Components / Operating system package or component mod_ldap Operating systems & Components / Operating system package or component httpd-tools Operating systems & Components / Operating system package or component httpd-devel Operating systems & Components / Operating system package or component httpd Operating systems & Components / Operating system package or component mod_http2 Operating systems & Components / Operating system package or component mod_md Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) HTTP response splitting
EUVDB-ID: #VU73107
Risk: Medium
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2023-25690
CWE-ID:
CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform HTTP splitting attacks.
The vulnerability exists due to software does not correclty process CRLF character sequences in mod_rewrite and mod_proxy. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.
Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
httpd-manual: before 2.4.37-51.0.1
httpd-filesystem: before 2.4.37-51.0.1
mod_ssl: before 2.4.37-51.0.1
mod_session: before 2.4.37-51.0.1
mod_proxy_html: before 2.4.37-51.0.1
mod_ldap: before 2.4.37-51.0.1
httpd-tools: before 2.4.37-51.0.1
httpd-devel: before 2.4.37-51.0.1
httpd: before 2.4.37-51.0.1
mod_http2: before 1.15.7-5
mod_md: before 2.0.8-8
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:httpd-manual:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd-filesystem:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_ssl:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_session:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_proxy_html:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_ldap:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd-tools:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_http2:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_md:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2023:0106
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Out-of-bounds read
EUVDB-ID: #VU64083
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-28615
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the ap_strcmp_match() function when processing an extremely large input buffer. A remote attacker can send a specially crafted HTTP request to the web server, trigger an out-of-bounds read error and read contents of memory on the system.
Note, the code distributed with the Apache HTTP Server cannot be coerced into such a call. The vulnerability can affect third-party modules or lua scripts that use ap_strcmp_match().
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
httpd-manual: before 2.4.37-51.0.1
httpd-filesystem: before 2.4.37-51.0.1
mod_ssl: before 2.4.37-51.0.1
mod_session: before 2.4.37-51.0.1
mod_proxy_html: before 2.4.37-51.0.1
mod_ldap: before 2.4.37-51.0.1
httpd-tools: before 2.4.37-51.0.1
httpd-devel: before 2.4.37-51.0.1
httpd: before 2.4.37-51.0.1
mod_http2: before 1.15.7-5
mod_md: before 2.0.8-8
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:httpd-manual:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd-filesystem:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_ssl:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_session:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_proxy_html:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_ldap:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd-tools:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_http2:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_md:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2023:0106
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource exhaustion
EUVDB-ID: #VU64086
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-30522
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to mod_sed does not properly control consumption of internal resources, if the web server is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
httpd-manual: before 2.4.37-51.0.1
httpd-filesystem: before 2.4.37-51.0.1
mod_ssl: before 2.4.37-51.0.1
mod_session: before 2.4.37-51.0.1
mod_proxy_html: before 2.4.37-51.0.1
mod_ldap: before 2.4.37-51.0.1
httpd-tools: before 2.4.37-51.0.1
httpd-devel: before 2.4.37-51.0.1
httpd: before 2.4.37-51.0.1
mod_http2: before 1.15.7-5
mod_md: before 2.0.8-8
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:httpd-manual:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd-filesystem:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_ssl:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_session:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_proxy_html:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_ldap:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd-tools:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_http2:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_md:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2023:0106
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU71242
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-36760
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests in mod_proxy_ajp. A remote attacker can send a specially crafted HTTP request to the web server and smuggle arbitrary HTTP headers to the AJP server it forwards requests to.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
httpd-manual: before 2.4.37-51.0.1
httpd-filesystem: before 2.4.37-51.0.1
mod_ssl: before 2.4.37-51.0.1
mod_session: before 2.4.37-51.0.1
mod_proxy_html: before 2.4.37-51.0.1
mod_ldap: before 2.4.37-51.0.1
httpd-tools: before 2.4.37-51.0.1
httpd-devel: before 2.4.37-51.0.1
httpd: before 2.4.37-51.0.1
mod_http2: before 1.15.7-5
mod_md: before 2.0.8-8
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:httpd-manual:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd-filesystem:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_ssl:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_session:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_proxy_html:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_ldap:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd-tools:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_http2:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_md:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2023:0106
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) HTTP response splitting
EUVDB-ID: #VU71243
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-37436
CWE-ID:
CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP splitting attacks.
The vulnerability exists due to software does not correctly process CRLF character sequences within the mod_proxy module. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.
Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
httpd-manual: before 2.4.37-51.0.1
httpd-filesystem: before 2.4.37-51.0.1
mod_ssl: before 2.4.37-51.0.1
mod_session: before 2.4.37-51.0.1
mod_proxy_html: before 2.4.37-51.0.1
mod_ldap: before 2.4.37-51.0.1
httpd-tools: before 2.4.37-51.0.1
httpd-devel: before 2.4.37-51.0.1
httpd: before 2.4.37-51.0.1
mod_http2: before 1.15.7-5
mod_md: before 2.0.8-8
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:httpd-manual:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd-filesystem:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_ssl:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_session:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_proxy_html:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_ldap:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd-tools:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpd:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_http2:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:mod_md:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2023:0106
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
