{ "threat_severity" : "Moderate", "public_date" : "2023-01-17T00:00:00Z", "bugzilla" : { "description" : "httpd: mod_proxy: HTTP response splitting", "id" : "2161773", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2161773" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-113", "details" : [ "Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.", "A flaw was found in the mod_proxy module of httpd. A malicious backend can cause the response headers to be truncated because they are not cleaned when an error is found while reading them, resulting in some headers being incorporated into the response body and not being interpreted by a client." ], "statement" : "This flaw is only exploitable via bad headers generated by a malicious backend or a malicious application.\nhttpd as shipped in Red Hat Enterprise Linux 7, 8, 9 and in RHSCL is vulnerable to this flaw. httpd as shipped in Red Hat Enterprise Linux 6 is not affected.\nThis flaw has been rated as having a security impact of moderate, and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata.", "affected_release" : [ { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2023-08-15T00:00:00Z", "advisory" : "RHSA-2023:4629", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-httpd-0:2.4.57-5.el8jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2023-08-15T00:00:00Z", "advisory" : "RHSA-2023:4629", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-httpd-0:2.4.57-5.el7jbcs" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-02-21T00:00:00Z", "advisory" : "RHSA-2023:0852", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "httpd:2.4-8070020230131172653.bd1311ed" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-02-28T00:00:00Z", "advisory" : "RHSA-2023:0970", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "httpd-0:2.4.53-7.el9_1.1" }, { "product_name" : "Text-Only JBCS", "release_date" : "2023-08-15T00:00:00Z", "advisory" : "RHSA-2023:4628", "cpe" : "cpe:/a:redhat:jboss_core_services:1", "package" : "httpd" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "httpd22", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Will not fix", "package_name" : "httpd24-httpd", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-37436\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-37436\nhttps://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-37436" ], "name" : "CVE-2022-37436", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. It's recommended to update the affected packages as soon as an update is available.", "lang" : "en:us" }, "csaw" : false }