{
  "threat_severity" : "Moderate",
  "public_date" : "2022-06-08T00:00:00Z",
  "bugzilla" : {
    "description" : "httpd: mod_proxy_ajp: Possible request smuggling",
    "id" : "2094997",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2094997"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-444",
  "details" : [ "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.", "An HTTP request smuggling vulnerability was found in the mod_proxy_ajp module of httpd. This flaw allows an attacker to smuggle requests to the AJP server, where it forwards requests." ],
  "statement" : "The httpd mod_proxy_ajp module is enabled by default on Red Hat Enterprise Linux 8, 9, and in RHSCL. However, there are no directives forwarding requests using the AJP protocol.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2022-12-08T00:00:00Z",
    "advisory" : "RHSA-2022:8840",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-httpd-0:2.4.51-37.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2022-12-08T00:00:00Z",
    "advisory" : "RHSA-2022:8840",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.51-37.el7jbcs"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-11-08T00:00:00Z",
    "advisory" : "RHSA-2022:7647",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "httpd:2.4-8070020220725152258.3b9f49c4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8067",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "httpd-0:2.4.53-7.el9"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2022-09-29T00:00:00Z",
    "advisory" : "RHSA-2022:6753",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-httpd-0:2.4.34-23.el7.5"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2022-12-08T00:00:00Z",
    "advisory" : "RHSA-2022:8841",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "httpd22",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3",
    "fix_state" : "Will not fix",
    "package_name" : "httpd24",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-26377\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-26377\nhttps://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-26377" ],
  "name" : "CVE-2022-26377",
  "mitigation" : {
    "value" : "Disabling mod_proxy_ajp and restarting httpd will mitigate this flaw.",
    "lang" : "en:us"
  },
  "csaw" : false
}