Thank you for responding. I’m wondering though, how do I confirm it is using AJP or not using AJP for sure?
Thanks, Pashia From: Otis Dewitt - NOAA Affiliate <otis.dew...@noaa.gov.INVALID> Sent: Tuesday, February 7, 2023 9:46 AM To: users@httpd.apache.org Subject: Re: [users@httpd] question on CVE-2023-36760 *External Email: Use caution responding, opening attachments, or clicking on links.* If you are not using "Apache JServ Protocol (AJP)" then the CVE does not pertain to your Apache server. On Mon, Feb 6, 2023 at 5:46 PM Thao, Pashia <pashia.t...@uwss.wisconsin.edu<mailto:pashia.t...@uwss.wisconsin.edu>> wrote: PWEB server is running a version of Apache affected. Our prod web server is running a version of the Apache affected by by CVE-2023-36760<https://nvd.nist.gov/vuln/detail/CVE-2022-36760>, which is a critical vulnerability affecting versions of Apache server <= 2.4.54<https://httpd.apache.org/security/vulnerabilities_24.html>. CVE-2023-36760 allows for potential HTTP request smuggling from the Apache server through the Apache JServ Protocol (AJP) to the application server. How do I check whether AJP is being utilized to proxy requests from the WEB server to the APPlication server? Also does that mean that if our WEB server does not use AJP, then that means we shouldn’t need to worry about this vulnerability and do not need to upgrade to the new Apache version, 2.4.55? Please clarify. Thank you, Pashia
