Vulnerability Name:

CVE-2022-26377 (CCN-228343)

Assigned:2022-06-08
Published:2022-06-08
Updated:2022-08-24
Summary:Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
6.5 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L)
5.7 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-444
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2022-26377

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20220608 CVE-2022-26377: Apache HTTP Server: mod_proxy_ajp: Possible request smuggling

Source: XF
Type: UNKNOWN
apache-http-cve202226377-request-smuggling(228343)

Source: CCN
Type: Apache Web site
mod_proxy_ajp: Possible request smuggling

Source: MISC
Type: Vendor Advisory
https://httpd.apache.org/security/vulnerabilities_24.html

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-b54a8dee29

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-e620fb15d5

Source: CCN
Type: oss-sec Mailing List, Wed, 08 Jun 2022 09:42:22 +0000
CVE-2022-26377: Apache HTTP Server: mod_proxy_ajp: Possible request smuggling

Source: GENTOO
Type: Third Party Advisory
GLSA-202208-20

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20220624-0005/

Source: CCN
Type: IBM Security Bulletin 6595149 (HTTP Server)
Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server

Source: CCN
Type: IBM Security Bulletin 6607888 (Tivoli Monitoring)
Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server

Source: CCN
Type: IBM Security Bulletin 6610841 (Security SiteProtector System)
IBM Security SiteProtector System is affected by multiple Apache HTTP Server Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6837299 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to HTTP request smuggling due to CVE-2022-26377

Source: CCN
Type: IBM Security Bulletin 6952319 (Aspera Faspex)
IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068)

Source: CCN
Type: IBM Security Bulletin 6952365 (Aspera Orchestrator)
IBM Aspera Orchestrator vulnerable to HTTP request smuggling due to an Apache HTTP Server vulnerability (CVE-2022-26377)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:http_server:*:*:*:*:*:*:*:* (Version >= 2.4.0 and <= 2.4.53)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:36:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:http_server:2.4.18:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.20:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.23:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.29:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.33:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.25:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.26:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.27:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.28:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.34:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.35:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.37:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.38:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.39:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.41:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.43:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.46:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.48:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.49:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.50:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.51:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.52:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.53:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:http_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:http_server:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:http_server:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_siteprotector_system:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:aspera_faspex:4.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7434
    P
    		apache2-2.4.51-150400.6.11.1 on GA media (Moderate)
    2023-06-12
    oval:com.redhat.rhsa:def:20228067
    P
    		RHSA-2022:8067: httpd security, bug fix, and enhancement update (Moderate)
    2022-11-15
    oval:com.redhat.rhsa:def:20227647
    P
    		RHSA-2022:7647: httpd:2.4 security update (Moderate)
    2022-11-08
    oval:org.opensuse.security:def:119249
    P
    		Security update for apache2 (Important)
    2022-07-08
    oval:org.opensuse.security:def:119440
    P
    		Security update for apache2 (Important)
    2022-07-08
    oval:org.opensuse.security:def:118754
    P
    		Security update for apache2 (Important)
    2022-07-08
    oval:org.opensuse.security:def:119625
    P
    		Security update for apache2 (Important)
    2022-07-08
    oval:org.opensuse.security:def:118944
    P
    		Security update for apache2 (Important)
    2022-07-08
    oval:org.opensuse.security:def:95252
    P
    		Security update for apache2 (Important)
    2022-07-06
    oval:org.opensuse.security:def:93306
    P
    		 (Important)
    2022-07-06
    oval:org.opensuse.security:def:94039
    P
    		 (Important)
    2022-07-06
    oval:org.opensuse.security:def:3740
    P
    		Security update for apache2 (Important)
    2022-07-06
    oval:org.opensuse.security:def:95370
    P
    		Security update for apache2 (Important)
    2022-07-06
    oval:org.opensuse.security:def:93464
    P
    		 (Important)
    2022-07-06
    oval:org.opensuse.security:def:94251
    P
    		 (Important)
    2022-07-06
    oval:org.opensuse.security:def:3763
    P
    		Security update for apache2 (Important)
    2022-07-06
    oval:org.opensuse.security:def:95396
    P
    		Security update for apache2 (Important)
    2022-07-06
    oval:org.opensuse.security:def:93618
    P
    		 (Important)
    2022-07-06
    oval:org.opensuse.security:def:554
    P
    		Security update for apache2 (Important)
    2022-07-06
    oval:org.opensuse.security:def:94460
    P
    		 (Important)
    2022-07-06
    oval:org.opensuse.security:def:93146
    P
    		 (Important)
    2022-07-06
    oval:org.opensuse.security:def:93825
    P
    		 (Important)
    2022-07-06
    oval:org.opensuse.security:def:3622
    P
    		Security update for apache2 (Important)
    2022-07-06
    oval:org.opensuse.security:def:126900
    P
    		Security update for apache2 (Important)
    2022-06-16
    oval:org.opensuse.security:def:6073
    P
    		Security update for apache2 (Important)
    2022-06-16
    oval:org.opensuse.security:def:127297
    P
    		Security update for apache2 (Important)
    2022-06-16
    oval:org.opensuse.security:def:125734
    P
    		Security update for apache2 (Important)
    2022-06-16
    oval:org.opensuse.security:def:5275
    P
    		Security update for apache2 (Important)
    2022-06-16
    oval:org.opensuse.security:def:931
    P
    		Security update for apache2 (Important) (in QA)
    2022-06-14
    oval:org.opensuse.security:def:1528
    P
    		Security update for apache2 (Important) (in QA)
    2022-06-14
    oval:org.opensuse.security:def:1682
    P
    		Security update for apache2 (Important) (in QA)
    2022-06-14
    BACK
    apache http server *
    fedoraproject fedora 35
    fedoraproject fedora 36
    netapp clustered data ontap -
    apache http server 2.4.18
    apache http server 2.4.20
    apache http server 2.4.23
    apache http server 2.4.29
    apache http server 2.4.33
    apache http server 2.4.25
    apache http server 2.4.26
    apache http server 2.4.27
    apache http server 2.4.28
    apache http server 2.4.34
    apache http server 2.4.35
    apache http server 2.4.37
    apache http server 2.4.38
    apache http server 2.4.39
    apache http server 2.4.41
    apache http server 2.4.43
    apache http server 2.4.46
    apache http server 2.4.48
    apache http server 2.4.49
    apache http server 2.4.50
    apache http server 2.4.51
    apache http server 2.4.52
    apache http server 2.4.53
    ibm http server 7.0
    ibm http server 8.0
    ibm http server 8.5
    ibm tivoli monitoring 6.3.0
    ibm security siteprotector system 3.1.1
    ibm aspera faspex 4.4.1
    ibm app connect enterprise certified container 4.1
    ibm app connect enterprise certified container 4.2
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm app connect enterprise certified container 5.2
    ibm app connect enterprise certified container 6.0