RE: question on CVE-2023-36760

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thank you for responding.  I’m wondering though, how do I confirm it is using AJP or not using AJP for sure?

 

Thanks,

Pashia

 

From: Otis Dewitt - NOAA Affiliate <otis.dewitt@xxxxxxxx.INVALID>
Sent: Tuesday, February 7, 2023 9:46 AM
To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] question on CVE-2023-36760

 

*External Email: Use caution responding, opening attachments, or clicking on links.*

If you are not using "Apache JServ Protocol (AJP)" then the CVE does not pertain to your Apache server.

 

On Mon, Feb 6, 2023 at 5:46 PM Thao, Pashia <pashia.thao@xxxxxxxxxxxxxxxxxx> wrote:

PWEB server is running a version of Apache affected.

 

Our prod web server is running a version of the Apache affected by by CVE-2023-36760, which is a critical vulnerability affecting versions of Apache server <= 2.4.54. CVE-2023-36760 allows for potential HTTP request smuggling from the Apache server through the Apache JServ Protocol (AJP) to the application server.

 

How do I check whether AJP is being utilized to proxy requests from the WEB server to the APPlication server? Also does that mean that if our WEB server does not use AJP, then that means we shouldn’t need to worry about this vulnerability and do not need to upgrade to the new Apache version, 2.4.55?

 

Please clarify. 

 

Thank you,

Pashia

 

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux