Apache 2.4.56 Release Eliminates Vulnerabilities

Apache has released a new version of its HTTP server, Apache 2.4.56, which includes six changes that aim at eliminating two vulnerabilities in the system. The vulnerabilities are related to the “http request smuggling” capability that can penetrate the contents of the request from other users. The company has fixed these vulnerabilities, represented by the CVE-2023-27522 and CVE-2023-25690, respectively.

The first vulnerability, represented by CVE-2023-27522, affects the Mod_PROXY_UWSGI module. Hackers can exploit it to split the server’s response to two sides by substituting special characters towards the back of the bacent HTTP-head. The second vulnerability, represented by CVE-2023-25690, is present in Mod_PROXY and can be exploited while using some rules for rewriting requests or certain templates.

To exploit the vulnerability, the re-sequenced rewriting rules must be used, which are then inserted into the request sent later. It may lead to a request through proxy internal resources, access to which is prohibited through proxy, or to poisoning the contents of the cache.

The new release from Apache also includes some additional features. The -t flag has been added to the Lotatelogs utility, allowing the system to rotate logs while trimming subsequent logs without truncating the initial log-file. Mod_LDAP is now allowed to indicate negative values ​​to configure re-use of any old connections in the directive of LDapconnectionPooltt. Moreover, in the Mod_MD module, users can now automate and maintain certificates using the ACME with Libressl 3.5.0+ supporting the digital signature scheme.

The MDCHALLENGEDNS01 Directive is allowed to establish the settings for individual domains, and the Mod_Proxy_uwsgi now includes enhanced checks and analyses of answers from http-based.

Users are advised to update their systems to prevent potential threats from vulnerabilities. Visit the official website for further details on the update, downloaded through the provided links of Announcement, Apache website, changes, and vulnerabilities.

/Reports, release notes, official announcements.