If you are not using "*Apache JServ Protocol (AJP)" *then the CVE does not pertain to your Apache server.
On Mon, Feb 6, 2023 at 5:46 PM Thao, Pashia <pashia.t...@uwss.wisconsin.edu> wrote: > PWEB server is running a version of Apache affected. > > > > Our prod web server is running a version of the Apache affected by by > CVE-2023-36760 <https://nvd.nist.gov/vuln/detail/CVE-2022-36760>, which > is a critical vulnerability affecting versions of Apache server <= 2.4.54 > <https://httpd.apache.org/security/vulnerabilities_24.html>. *CVE-2023-36760 > allows for potential HTTP request smuggling from the Apache server through > the Apache JServ Protocol (AJP) to the application server*. > > > > How do I check whether *AJP* is being utilized to proxy requests from the > WEB server to the APPlication server? Also does that mean that if our WEB > server does not use AJP, then that means we shouldn’t need to worry about > this vulnerability and do not need to upgrade to the new Apache version, > 2.4.55? > > > > Please clarify. > > > > Thank you, > > Pashia > > >