HTTP Server Vulnerabilities Related to Version 2.4.55 and 2.4.56

Apache HTTP Server version 2.4.55 fixes 3 vulnerabilities [1].
Additionally, Apache HTTP Server version 2.4.56 fixes 2 vulnerabilities [1].
Airlock Gateway uses the server as web acceptor for incoming HTTP connections.

Airlock Gateway is not affected.

Details:

• request splitting with mod_rewrite and mod_proxy (CVE-2023-25690)
  • The combination of the mod_rewrite and the mod_proxy module is only used for the management interface (Configuration Center/REST API). The authentication for the Configuration Center/REST API is performed by a back-end application running on a different server software that is not affected by this vulnerability.
    The external interface is not affected. Airlock Gateway protects vulnerable Apache HTTP Servers used in back-end applications against this kind of attack.
• mod_proxy_uwsgi HTTP response splitting (CVE-2023-27522)
  • The module mod_proxy_uwsgi is not used by Airlock Gateway. Airlock Gateway is therefore not affected.
• mod_dav out of bounds read, or write of zero byte (CVE-2006-20001)
  • The module mod_dav is not used by Airlock Gateway. Airlock Gateway is therefore not affected.
• mod_proxy_ajp Possible request smuggling (CVE-2022-36760)
  • The mod_proxy_ajp module is only used for the management interface (Configuration Center/REST API). The authentication for the Configuration Center/REST API is performed by a back-end application running on a different server software that is not affected by this vulnerability.
    The external interface is not affected. Airlock Gateway protects vulnerable Apache HTTP Servers used in back-end applications against this kind of attack.
• mod_proxy HTTP response splitting (CVE-2022-37436)
  • The mod_proxy module is only used for the management interface. The vulnerability requires a malicious back-end, but since all back-ends of the management interface are trusted, it cannot be exploited. The external interface is not affected.