If you are not using "*Apache JServ Protocol (AJP)" *then the CVE does not
pertain to your Apache server.

On Mon, Feb 6, 2023 at 5:46 PM Thao, Pashia <pashia.t...@uwss.wisconsin.edu>
wrote:

> PWEB server is running a version of Apache affected.
>
>
>
> Our prod web server is running a version of the Apache affected by by
> CVE-2023-36760 <https://nvd.nist.gov/vuln/detail/CVE-2022-36760>, which
> is a critical vulnerability affecting versions of Apache server <= 2.4.54
> <https://httpd.apache.org/security/vulnerabilities_24.html>. *CVE-2023-36760
> allows for potential HTTP request smuggling from the Apache server through
> the Apache JServ Protocol (AJP) to the application server*.
>
>
>
> How do I check whether *AJP* is being utilized to proxy requests from the
> WEB server to the APPlication server? Also does that mean that if our WEB
> server does not use AJP, then that means we shouldn’t need to worry about
> this vulnerability and do not need to upgrade to the new Apache version,
> 2.4.55?
>
>
>
> Please clarify.
>
>
>
> Thank you,
>
> Pashia
>
>
>

Reply via email to