Re: question on CVE-2023-36760

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Well, what does your Proxy directive look like ? if it uses the ajp
protocol, then you use AJP, if it says https or something else, then you
don't use AJP.

ProxyPass "/app" "ajp://backend.example.com:8009/app"   (you use ajp)
ProxyPass "/app" "https://backend.example.com:8009/app"; (you don't use ajp)

see: https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html

:wq

Carsten




On Tue, Feb 07, 2023 at 03:53:29PM +0000, Thao, Pashia wrote:
> Thank you for responding.  I’m wondering though, how do I confirm it is using AJP or not using AJP for sure?
> 
> Thanks,
> Pashia
> 
> From: Otis Dewitt - NOAA Affiliate <otis.dewitt@xxxxxxxx.INVALID>
> Sent: Tuesday, February 7, 2023 9:46 AM
> To: users@xxxxxxxxxxxxxxxx
> Subject: Re:  question on CVE-2023-36760
> 
> 
> *External Email: Use caution responding, opening attachments, or clicking on links.*
> If you are not using "Apache JServ Protocol (AJP)" then the CVE does not pertain to your Apache server.
> 
> On Mon, Feb 6, 2023 at 5:46 PM Thao, Pashia <pashia.thao@xxxxxxxxxxxxxxxxxx<mailto:pashia.thao@xxxxxxxxxxxxxxxxxx>> wrote:
> PWEB server is running a version of Apache affected.
> 
> Our prod web server is running a version of the Apache affected by by CVE-2023-36760<https://nvd.nist.gov/vuln/detail/CVE-2022-36760>, which is a critical vulnerability affecting versions of Apache server <= 2.4.54<https://httpd.apache.org/security/vulnerabilities_24.html>. CVE-2023-36760 allows for potential HTTP request smuggling from the Apache server through the Apache JServ Protocol (AJP) to the application server.
> 
> How do I check whether AJP is being utilized to proxy requests from the WEB server to the APPlication server? Also does that mean that if our WEB server does not use AJP, then that means we shouldn’t need to worry about this vulnerability and do not need to upgrade to the new Apache version, 2.4.55?
> 
> Please clarify.
> 
> Thank you,
> Pashia
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux