CVE-2022-26377: mod_proxy_ajp: Possible request smuggling
First published: Wed Jun 08 2022(Updated: )
An HTTP request smuggling vulnerability was found in the mod_proxy_ajp module of httpd. This flaw allows an attacker to smuggle requests to the AJP server, where it forwards requests.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/httpd | <2.4.54 | 2.4.54 |
| redhat/jbcs-httpd24-httpd | <0:2.4.51-37.el8 | 0:2.4.51-37.el8 |
| redhat/jbcs-httpd24-httpd | <0:2.4.51-37.el7 | 0:2.4.51-37.el7 |
| redhat/httpd | <0:2.4.53-7.el9 | 0:2.4.53-7.el9 |
| redhat/httpd24-httpd | <0:2.4.34-23.el7.5 | 0:2.4.34-23.el7.5 |
| Apache HTTP server | >=2.4.0<=2.4.53 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| NetApp Clustered Data ONTAP |
Remedy
Disabling mod_proxy_ajp and restarting httpd will mitigate this flaw.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-26377 https://nvd.nist.gov/vuln/detail/CVE-2022-26377 https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-26377
- https://bugzilla.redhat.com/show_bug.cgi?id=2094997
- https://access.redhat.com/errata/RHSA-2022:8840
- https://access.redhat.com/errata/RHSA-2022:7647
- https://access.redhat.com/errata/RHSA-2022:8067
- https://access.redhat.com/errata/RHSA-2022:8841
- https://access.redhat.com/errata/RHSA-2022:6753
- https://access.redhat.com/security/cve/cve-2022-26377
- https://exchange.xforce.ibmcloud.com/vulnerabilities/228343
- https://www.ibm.com/support/pages/node/6952319 (Advisory)
- http://www.openwall.com/lists/oss-security/2022/06/08/2
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20220624-0005/
- https://www.openwall.com/lists/oss-security/2022/06/08/2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2094998
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-26377?
CVE-2022-26377 is an HTTP request smuggling vulnerability found in the mod_proxy_ajp module of httpd.
How does the Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) vulnerability affect Apache HTTP Server?
The vulnerability allows an attacker to smuggle requests to the AJP server that Apache HTTP Server forwards requests to.
Which versions of Apache HTTP Server are affected by CVE-2022-26377?
Apache HTTP Server versions 2.4.53 and prior are affected.
What is the severity level of CVE-2022-26377?
The severity level of CVE-2022-26377 is high, with a severity value of 7.5.
How can I fix the Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) vulnerability in Apache HTTP Server?
To fix the vulnerability, update Apache HTTP Server to version 2.4.54 or later.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-26377
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/last-modified-date
- agent/event
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/apache
- canonical/apache http server
- version/apache http server/2.4.0
- version/apache http server/2.4.53
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- vendor/netapp
- canonical/netapp clustered data ontap