StarlingX

Debian: CVE-2022-28615 / CVE-2022-29404 / CVE-2022-30522 / CVE-2022-31813: apache2: A flaw was found in the mod_proxy module of httpd

Bug #1985885 reported by Wentao Zhang
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Wentao Zhang

Bug Description

Brief Description
-----------------
Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.

Red Hat's analysis is here: https://access.redhat.com/security/cve/CVE-2022-31813

NIST is here: https://nvd.nist.gov/vuln/detail/CVE-2022-31813
    - no data yet.

Severity
--------
<Minor: System/Feature is usable with minor issue>

Wentao Zhang (wzhang4)
information type: Private Security → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/852944

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/852944
Committed: https://opendev.org/starlingx/tools/commit/7b93f4bcd95e4a171e14ceaff6d78d029c987263
Submitter: "Zuul (22348)"
Branch: master

commit 7b93f4bcd95e4a171e14ceaff6d78d029c987263
Author: Wentao Zhang <email address hidden>
Date: Fri Aug 12 17:25:00 2022 +0800

    Debian: apache2:fix CVE-2022-31813

    Upgrade apache2, apache2-bin, apache2-data, apache2-utils to
    the version that CVE-2022-31813 have been fixed:

    apache2_2.4.53-1~deb11u1_amd64.deb to
    apache2_2.4.54-1~deb11u1_amd64.deb
    apache2-bin_2.4.53-1~deb11u1_amd64.deb to
    apache2-bin_2.4.54-1~deb11u1_amd64.deb
    apache2-data_2.4.53-1~deb11u1_all.deb to
    apache2-data_2.4.54-1~deb11u1_all.deb
    apache2-utils_2.4.53-1~deb11u1_amd64.deb to
    apache2-utils_2.4.54-1~deb11u1_amd64.deb

    (Refer to https://security-tracker.debian.org/tracker/CVE-2022-31813)

    This fix provides the URL of the package in base-bullseye.lst to make
    sure that the binary package can be downloaded no matter how the
    upstream changes.

    Closes-bug: 1985885
    Signed-off-by: Wentao Zhang<email address hidden>
    Change-Id: Ieb31dea74b36f208430e69e9613889b3c236461c

Changed in starlingx:
status: In Progress → Fix Released
Wentao Zhang (wzhang4)
Changed in starlingx:
assignee: nobody → Wentao Zhang (wzhang4)
Ghada Khalil (gkhalil)
tags: added: stx.8.0 stx.security
Changed in starlingx:
importance: Undecided → Medium
summary: - CVE-2022-31813: A flaw was found in the mod_proxy module of httpd
+ Debian: CVE-2022-31813: apache2: A flaw was found in the mod_proxy
+ module of httpd
tags: added: stx.debian
Yue Tao (wrytao)
summary: - Debian: CVE-2022-31813: apache2: A flaw was found in the mod_proxy
- module of httpd
+ Debian: CVE-2022-26377 / CVE-2022-28615 / CVE-2022-29404 /
+ CVE-2022-30522 / CVE-2022-30556 / CVE-2022-31813: apache2: A flaw was
+ found in the mod_proxy module of httpd
Yue Tao (wrytao)
summary: - Debian: CVE-2022-26377 / CVE-2022-28615 / CVE-2022-29404 /
- CVE-2022-30522 / CVE-2022-30556 / CVE-2022-31813: apache2: A flaw was
- found in the mod_proxy module of httpd
+ Debian: CVE-2022-28615 / CVE-2022-29404 / CVE-2022-30522 /
+ CVE-2022-31813: apache2: A flaw was found in the mod_proxy module of
+ httpd
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.