Apache HTTP Server version 2.4.54 fixes 8 vulnerabilities [1]. Airlock Gateway uses the server as web acceptor for incoming HTTP connections.
Airlock Gateway is not affected.
Details:
mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)
This module is only used for the management interface (Configuration Center/REST API). The authentication for the Configuration Center/REST API is performed by the back-end application. It is running on a different server software that is not affected by this vulnerability.
The external interface is not affected. Airlock Gateway protects vulnerable Apache HTTP Servers used in back-end applications against this kind of attack.
mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism (CVE-2022-31813)
This module is only used by the management interface (Configuration Center/REST API). IP-based authentication is not supported by these components, therefore Airlock Gateway is not affected.
read beyond bounds via ap_rwrite() (CVE-2022-28614)
Airlock Gateway uses this function in a safe way and is not affected.
read beyond bounds in ap_strcmp_match() (CVE-2022-28615)
Airlock Gateway is not affected.
The following modules are not used by Airlock Gateway. Airlock Gateway is therefore not affected.
mod_isapi: read beyond bounds (CVE-2022-28330)
mod_lua: Denial of service in r:parsebody (CVE-2022-29404)
mod_sed: denial of service (CVE-2022-30522)
mod_lua: Information Disclosure with websockets (CVE-2022-30556)