Title: EGI SVG 'ADVISORY' [TLP:WHITE] HIGH risk Apache HTTP request
splitting vulnerability [EGI-SVG-CVE-2023-25690]
Date: 2023-04-06
Updated: 2023-06-08
Affected software and risk
==========================
HIGH risk vulnerability concerning Apache HTTP request splitting
Package : Apache HTTP
CVE ID : CVE-2023-25690
CVSS Score : 9.8 [R 1]
A security vulnerability in the Apache web server was recently announced
involving HTTP request splitting with mod_rewrite and mod_proxy (CVE-2023-25690).
The bug is only present when certain configuration options are in place, but
the potential impact to affected systems is severe [R 1]
Actions required/recommended
============================
Sites are recommended to update relevant components as soon as possible,
if they have not done so already.
**UPDATE 2023-06-08**
This is fixed for RHEL8 and RHEL9 and deriviatives, as well as RHEL 7 and
derivatives. [R 1]
Component installation information
==================================
Sites running RHEL should see [R 1]
Sites running CentOS should also see [R 2]
Sites running Scientific Linux should see [R 3]
Sites running Debian should see [R 4]
Sites running Ubuntu should see [R 5]
Sites running RockyLinux should see [R 6]
Sites running Almalinux should see [R 7]
More information
================
This information is provided provided by OSG
If your Apache web servers have mod_proxy enabled, and your configuration
makes use of the RewriteRule or ProxyPassReverse options, you should install
the updated Apache web server packages when they are available for your
systems and restart the Apache web server.
All Linux systems running Apache HTTP server 2.4.0 - 2.4.55 are affected by
this vulnerability.
An example of possible exploit - something like:
RewriteEngine on
RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]
ProxyPassReverse /here/ http://example.com:8080/
Request splitting/smuggling could result in bypass of access controls in
the proxy server, proxying unintended URLs to existing origin servers,
and cache poisoning.
TLP and URL
===========
** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for
distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2023-25690
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 99]
References
==========
[R 1] https://access.redhat.com/security/cve/CVE-2023-25690
[R 2] https://lists.centos.org/pipermail/centos-announce/
[R 3] https://www.scientificlinux.org/category/sl-errata/
[R 4] https://security-tracker.debian.org/tracker/CVE-2023-25690
[R 5] https://ubuntu.com/security/CVE-2023-25690
[R 6] https://errata.rockylinux.org/
[R 7] https://errata.almalinux.org/
[R 99] https://documents.egi.eu/public/ShowDocument?docid=3867
Credit
======
SVG was alerted to this vulnerability by the OSG team, and this advisory is
largely based on the information they provided to OSG sites.
Timeline
========
2023-04-05 SVG alerted to this issue by OSG
2023-04-06 EGI SVG Risk Assessment completed
2023-04-06 Advisory sent to sites
2023-06-08 Advisory updated and placed on advisories.egi.eu
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 99] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
-----------------------------
This advisory is subject to the Creative commons licence
https://creativecommons.org/licenses/by/4.0/
and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited.
-----------------------------
On behalf of the EGI SVG,