EcoStruxure IT forum
Schneider Electric support forum about installation and configuration for DCIM including EcoStruxure IT Expert, IT Advisor, Data Center Expert, and NetBotz
Link copied. Please paste this link to share this article on your social media post.
Posted: 2024-08-07 01:52 PM
Hi Schneider Electric Support,
Our Rapid 7 vulnerability scanner finds a vulnerability on our recently spun up DCE 8.1.1 virtual appliance. I believe it's remediated in 8.1.1 but our scanner doesn't recognize this and we'll need more information from you.
CVE-2022-26377
Fixed in Apache HTTP Server 2.4.54
moderate: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.
To add a specific example, this is one of the detections "[apache_os] Matching against banner: Apache/2.4.37 (rocky) OpenSSL/1.1.1k mod_python/3.5.0 Python/2.7.18" which shows that the detected Apache version is 2.4.37 and CVE-2022-26377 was corrected in version 2.4.54.
If you have placed mitigations in your code, or in your implementation of an open source library, then the scanner may not detect it as we are not doing a full-fledged penetration test with these scans, they are detection/assessments only.
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2024-08-08 06:16 AM
Hello,
You assessed your scanner result correctly; the scanner is just seeing the 2.4.37 version and making an assumption. DCE 8.1.1 runs a version of Apache 2.4.37 that contains back-ported CVE fixes from Red Hat, so it does contain the fix for CVE-2022-26377 as well as many other CVEs. The specific rpm is httpd-2.4.37-62.module+el8.9.0+1436+2b7d5021.x86_64.
Here is the associated Rocky errata for that CVE: https://errata.rockylinux.org/RLSA-2022:7647. Please note the updated packages and the httpd module version that is older than the module that is present in your 8.1.1 install.
There are some improvements coming in the next version of DCE that should help reduce false positives like this one you are seeing.
Thanks,
M
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2024-08-22 08:35 AM
Thanks M! That makes sense
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2024-08-22 08:49 AM
M,
Do you happen to have a timeframe on the next DCE release?
Thanks,
D
Link copied. Please paste this link to share this article on your social media post.
Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.