{ "threat_severity" : "Moderate", "public_date" : "2025-07-14T07:24:13Z", "bugzilla" : { "description" : "httpd: HTTP Session Hijack via a TLS upgrade", "id" : "2374580", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2374580" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "details" : [ "In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.\nOnly configurations using \"SSLEngine optional\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.", "An HTTP session hijacking flaw was found in Apache httpd. In some mod_ssl configurations on Apache HTTP Server, an HTTP desynchronization attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade." ], "statement" : "Only configurations using the \\\"SSLEngine optional\\\" to enable TLS upgrades are affected.\nThis vulnerability is rated Moderate rather than Important primarily due to the narrow scope of affected configurations and preconditions required for exploitation. Specifically, it only impacts Apache HTTP Server setups where SSLEngine optional is used—a rarely employed configuration that permits opportunistic TLS upgrades (also known as STARTTLS-style negotiation). For an attacker to successfully exploit this flaw, a man-in-the-middle (MitM) position is required, and the server must be using this optional TLS upgrade setup, which is uncommon and discouraged in modern secure deployments. The vulnerability arises due to HTTP desynchronization, allowing the attacker to potentially hijack sessions during the upgrade process.", "affected_release" : [ { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2025-08-14T00:00:00Z", "advisory" : "RHSA-2025:13680", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-httpd-0:2.4.62-8.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2025-08-14T00:00:00Z", "advisory" : "RHSA-2025:13680", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_http2-0:2.0.29-5.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2025-08-14T00:00:00Z", "advisory" : "RHSA-2025:13680", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_jk-0:1.2.50-9.redhat_1.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2025-08-14T00:00:00Z", "advisory" : "RHSA-2025:13680", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_md-1:2.4.28-10.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2025-08-14T00:00:00Z", "advisory" : "RHSA-2025:13680", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_proxy_cluster-0:1.3.22-4.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2025-08-14T00:00:00Z", "advisory" : "RHSA-2025:13680", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_security-0:2.9.6-11.el8jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2025-08-14T00:00:00Z", "advisory" : "RHSA-2025:13680", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-httpd-0:2.4.62-8.el7jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2025-08-14T00:00:00Z", "advisory" : "RHSA-2025:13680", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_http2-0:2.0.29-5.el7jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2025-08-14T00:00:00Z", "advisory" : "RHSA-2025:13680", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_jk-0:1.2.50-9.redhat_1.el7jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2025-08-14T00:00:00Z", "advisory" : "RHSA-2025:13680", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_md-1:2.4.28-10.el7jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2025-08-14T00:00:00Z", "advisory" : "RHSA-2025:13680", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_proxy_cluster-0:1.3.22-4.el7jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2025-08-14T00:00:00Z", "advisory" : "RHSA-2025:13680", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_security-0:2.9.6-11.el7jbcs" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-09-02T00:00:00Z", "advisory" : "RHSA-2025:15095", "cpe" : "cpe:/o:redhat:enterprise_linux:10.0", "package" : "httpd-0:2.4.63-1.el10_0.2" }, { "product_name" : "Red Hat Enterprise Linux 6 Extended Lifecycle Support - EXTENSION", "release_date" : "2025-09-02T00:00:00Z", "advisory" : "RHSA-2025:15036", "cpe" : "cpe:/o:redhat:rhel_els:6", "package" : "httpd-0:2.2.15-71.el6_10.1" }, { "product_name" : "Red Hat Enterprise Linux 7.7 Advanced Update Support", "release_date" : "2025-09-02T00:00:00Z", "advisory" : "RHSA-2025:14998", "cpe" : "cpe:/o:redhat:rhel_aus:7.7", "package" : "httpd-0:2.4.6-90.el7_7.6" }, { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2025-09-02T00:00:00Z", "advisory" : "RHSA-2025:14997", "cpe" : "cpe:/o:redhat:rhel_els:7", "package" : "httpd-0:2.4.6-99.el7_9.6" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-09-03T00:00:00Z", "advisory" : "RHSA-2025:15123", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "httpd:2.4-8100020250728150834.489197e6" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2025-09-08T00:00:00Z", "advisory" : "RHSA-2025:15516", "cpe" : "cpe:/a:redhat:rhel_aus:8.2", "package" : "httpd:2.4-8020020250827160659.4cda2c84" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-09-11T00:00:00Z", "advisory" : "RHSA-2025:15684", "cpe" : "cpe:/a:redhat:rhel_aus:8.4", "package" : "httpd:2.4-8040020250827161824.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2025-09-11T00:00:00Z", "advisory" : "RHSA-2025:15684", "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4", "package" : "httpd:2.4-8040020250827161824.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-09-11T00:00:00Z", "advisory" : "RHSA-2025:15698", "cpe" : "cpe:/a:redhat:rhel_aus:8.6", "package" : "httpd:2.4-8060020250827162806.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-09-11T00:00:00Z", "advisory" : "RHSA-2025:15698", "cpe" : "cpe:/a:redhat:rhel_tus:8.6", "package" : "httpd:2.4-8060020250827162806.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-09-11T00:00:00Z", "advisory" : "RHSA-2025:15698", "cpe" : "cpe:/a:redhat:rhel_e4s:8.6", "package" : "httpd:2.4-8060020250827162806.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-09-10T00:00:00Z", "advisory" : "RHSA-2025:15619", "cpe" : "cpe:/a:redhat:rhel_e4s:8.8", "package" : "httpd:2.4-8080020250827163339.63b34585" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-09-02T00:00:00Z", "advisory" : "RHSA-2025:15023", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "httpd-0:2.4.62-4.el9_6.4" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-08-28T00:00:00Z", "advisory" : "RHSA-2025:14901", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "httpd-0:2.4.51-7.el9_0.10" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-08-28T00:00:00Z", "advisory" : "RHSA-2025:14902", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "httpd-0:2.4.53-11.el9_2.13" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-08-28T00:00:00Z", "advisory" : "RHSA-2025:14903", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "httpd-0:2.4.57-11.el9_4.3" }, { "product_name" : "Red Hat JBoss Core Services 2.4.62.SP1", "release_date" : "2025-08-14T00:00:00Z", "advisory" : "RHSA-2025:13681", "cpe" : "cpe:/a:redhat:jboss_core_services:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-49812\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-49812\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ], "name" : "CVE-2025-49812", "mitigation" : { "value" : "No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.", "lang" : "en:us" }, "csaw" : false }