The Apache Software Foundation has released a critical security update addressing a vulnerability (CVE-2023-25690) in Apache HTTP Server, which has a CVSSv3 score of 9.8. This vulnerability affects the server under specific configurations and can be exploited for HTTP request smuggling attacks.

Affected Systems

Apache HTTP Server version 2.4.55 and earlier

Security Risks

The successful exploitation of the identified vulnerability (CVE-2023-25690) in Apache HTTP Server poses significant security risk as remote, unauthenticated attackers can potentially bypass access controls in the proxy server, redirect users to malicious sites, or perform cache poisoning.

Recommended Actions

The National Cyber Security Authority (NCSA) strongly recommends to system administrators to:

• Follow Apache's Security Advisory to lower the risk of potential exploits, protect systems, and ensure their security.

• Apply the required and latest security updates as soon as possible.

The released software version to upgrade to is:

• Apache HTTP Server version 2.4.56

• Before any update task, please ensure you have a recent backup that can easily be restored.

For further information and support, please contact NCSA by email at rwcsirt@ncsa.gov.rw or call us on 9009.

References                                                                      

https://httpd.apache.org/security/vulnerabilities_24.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25690