Vulnerability in DCE 8.1.1

Danl182 · ‎2024-08-07

Hi Schneider Electric Support,

Our Rapid 7 vulnerability scanner finds a vulnerability on our recently spun up DCE 8.1.1 virtual appliance. I believe it's remediated in 8.1.1 but our scanner doesn't recognize this and we'll need more information from you.

CVE-2022-26377

Fixed in Apache HTTP Server 2.4.54
moderate: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.

To add a specific example, this is one of the detections "[apache_os] Matching against banner: Apache/2.4.37 (rocky) OpenSSL/1.1.1k mod_python/3.5.0 Python/2.7.18" which shows that the detected Apache version is 2.4.37 and CVE-2022-26377 was corrected in version 2.4.54.

If you have placed mitigations in your code, or in your implementation of an open source library, then the scanner may not detect it as we are not doing a full-fledged penetration test with these scans, they are detection/assessments only.

mwhelihan · ‎2024-08-08

Hello,

You assessed your scanner result correctly; the scanner is just seeing the 2.4.37 version and making an assumption. DCE 8.1.1 runs a version of Apache 2.4.37 that contains back-ported CVE fixes from Red Hat, so it does contain the fix for CVE-2022-26377 as well as many other CVEs. The specific rpm is httpd-2.4.37-62.module+el8.9.0+1436+2b7d5021.x86_64.

Here is the associated Rocky errata for that CVE: https://errata.rockylinux.org/RLSA-2022:7647. Please note the updated packages and the httpd module version that is older than the module that is present in your 8.1.1 install.

There are some improvements coming in the next version of DCE that should help reduce false positives like this one you are seeing.

Thanks,

M

Danl182 · ‎2024-08-22

Thanks M! That makes sense

Danl182 · ‎2024-08-22

M,

Do you happen to have a timeframe on the next DCE release?

Thanks,

D