Apache HTTP Server Vulnerabilities Related to Version 2.4.54

Apache HTTP Server version 2.4.54 fixes 8 vulnerabilities [1]. Airlock Gateway uses the server as web acceptor for incoming HTTP connections.

Airlock Gateway is not affected.

Details:

• mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)
  • This module is only used for the management interface (Configuration Center/REST API). The authentication for the Configuration Center/REST API is performed by the back-end application. It is running on a different server software that is not affected by this vulnerability.
    The external interface is not affected. Airlock Gateway protects vulnerable Apache HTTP Servers used in back-end applications against this kind of attack.
• mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism (CVE-2022-31813)
  • This module is only used by the management interface (Configuration Center/REST API). IP-based authentication is not supported by these components, therefore Airlock Gateway is not affected.
• read beyond bounds via ap_rwrite() (CVE-2022-28614)
  • Airlock Gateway uses this function in a safe way and is not affected.
• read beyond bounds in ap_strcmp_match() (CVE-2022-28615)
  • Airlock Gateway is not affected.
• The following modules are not used by Airlock Gateway. Airlock Gateway is therefore not affected.
  • mod_isapi: read beyond bounds (CVE-2022-28330)
  • mod_lua: Denial of service in r:parsebody (CVE-2022-29404)
  • mod_sed: denial of service (CVE-2022-30522)
  • mod_lua: Information Disclosure with websockets (CVE-2022-30556)