Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier. Reference: http://httpd.apache.org/security/vulnerabilities_24.html
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 2005129]
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Enterprise Application Platform 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This seems to be the related patch found by looking at the history between 2.4.48 and 2.4.49 and double-checking with the SUSE bug https://bugzilla.suse.com/show_bug.cgi?id=1190669: https://github.com/apache/httpd/commit/fa7b2a5250e54363b3a6c8ac3aaa7de4e8da9b2e
Hi Joe, I saw your comment we will not fix this issue in rhel7. But our customer's security team needs to fix this requirement from the PCI DDS rule. Do we have any advice? or will plan to fix in Red Hat JBoss Core Services of jbcs-httpd24-httpd ? Thanks Hunter
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:0143 https://access.redhat.com/errata/RHSA-2022:0143
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-34798
Will this also be addressed for Red Hat Enterprise Linux 8? The 2022:0143 errata seems to only mention Red Hat Enterprise Linux 7.
(In reply to Nathan Coulson from comment #23) > Will this also be addressed for Red Hat Enterprise Linux 8? The 2022:0143 > errata seems to only mention Red Hat Enterprise Linux 7. Yes, it'll be addressed in rhel-8.
(In reply to Branislav Náter from comment #24) > (In reply to Nathan Coulson from comment #23) > > Will this also be addressed for Red Hat Enterprise Linux 8? The 2022:0143 > > errata seems to only mention Red Hat Enterprise Linux 7. > > Yes, it'll be addressed in rhel-8. As this ticket is closed still, and no updates here mentioning plans for an errata for EL8, Is this the right place to monitor for when this is resolved? or is this being done on another ticket?
(In reply to Nathan Coulson from comment #26) > (In reply to Branislav Náter from comment #24) > > (In reply to Nathan Coulson from comment #23) > > > Will this also be addressed for Red Hat Enterprise Linux 8? The 2022:0143 > > > errata seems to only mention Red Hat Enterprise Linux 7. > > > > Yes, it'll be addressed in rhel-8. > > As this ticket is closed still, and no updates here mentioning plans for an > errata for EL8, > > Is this the right place to monitor for when this is resolved? or is this > being done on another ticket? It's tracked here https://bugzilla.redhat.com/show_bug.cgi?id=2059256
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0891 https://access.redhat.com/errata/RHSA-2022:0891
There was before a Mitigation for this flaw which said to disable ProxyRequests, however that was the wrong mitigation for this flaw. We investigated further whether a mitigation exists and we were not able to find one.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:6753 https://access.redhat.com/errata/RHSA-2022:6753