Well, what does your Proxy directive look like ? if it uses the ajp protocol, then you use AJP, if it says https or something else, then you don't use AJP.
ProxyPass "/app" "ajp://backend.example.com:8009/app" (you use ajp) ProxyPass "/app" "https://backend.example.com:8009/app"; (you don't use ajp) see: https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html :wq Carsten On Tue, Feb 07, 2023 at 03:53:29PM +0000, Thao, Pashia wrote: > Thank you for responding. I’m wondering though, how do I confirm it is using > AJP or not using AJP for sure? > > Thanks, > Pashia > > From: Otis Dewitt - NOAA Affiliate <otis.dew...@noaa.gov.INVALID> > Sent: Tuesday, February 7, 2023 9:46 AM > To: users@httpd.apache.org > Subject: Re: [users@httpd] question on CVE-2023-36760 > > > *External Email: Use caution responding, opening attachments, or clicking on > links.* > If you are not using "Apache JServ Protocol (AJP)" then the CVE does not > pertain to your Apache server. > > On Mon, Feb 6, 2023 at 5:46 PM Thao, Pashia > <pashia.t...@uwss.wisconsin.edu<mailto:pashia.t...@uwss.wisconsin.edu>> wrote: > PWEB server is running a version of Apache affected. > > Our prod web server is running a version of the Apache affected by by > CVE-2023-36760<https://nvd.nist.gov/vuln/detail/CVE-2022-36760>, which is a > critical vulnerability affecting versions of Apache server <= > 2.4.54<https://httpd.apache.org/security/vulnerabilities_24.html>. > CVE-2023-36760 allows for potential HTTP request smuggling from the Apache > server through the Apache JServ Protocol (AJP) to the application server. > > How do I check whether AJP is being utilized to proxy requests from the WEB > server to the APPlication server? Also does that mean that if our WEB server > does not use AJP, then that means we shouldn’t need to worry about this > vulnerability and do not need to upgrade to the new Apache version, 2.4.55? > > Please clarify. > > Thank you, > Pashia > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
