Oracle HTTP Server 12.2.1.4.0 SSL Module request smuggling

Summaryinfo

A vulnerability was found in Oracle HTTP Server 12.2.1.4.0. It has been declared as very critical. This affects an unknown part of the component SSL Module. The manipulation results in an unknown weakness. This vulnerability is identified as CVE-2023-25690. The attack can be executed remotely. There is not any exploit available.

Detailsinfo

A vulnerability, which was classified as very critical, was found in Oracle HTTP Server 12.2.1.4.0 (Web Server). Affected is some unknown processing of the component SSL Module. CWE is classifying the issue as CWE-444. The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.

The weakness was released 07/18/2023 as Oracle Critical Patch Update Advisory - July 2023 as confirmed advisory (Website). The advisory is available at oracle.com. This vulnerability is traded as CVE-2023-25690. The technical details are unknown and an exploit is not available. The structure of the vulnerability defines a possible price range of USD $5k-$25k at the moment (estimation calculated on 01/04/2026).

As 0-day the estimated underground price was around $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 211533 (Oracle Linux 9 : httpd (ELSA-2024-9306)), which helps to determine the existence of the flaw in a target environment.

A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the databases at Tenable (211533) and CERT Bund (WID-SEC-2023-0583). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Affected

• Debian Linux
• IBM Tivoli Monitoring
• Amazon Linux 2
• IBM Rational ClearQuest
• Red Hat Enterprise Linux
• Fedora Linux
• Ubuntu Linux
• SUSE Linux
• IBM HTTP Server
• Oracle Linux
• IBM Security Access Manager for Enterprise Single Sign-On
• Red Hat JBoss Core Services
• Xerox FreeFlow Print Server
• IBM Business Automation Workflow
• IBM Rational ClearCase
• IBM QRadar SIEM
• IBM Power Hardware Management Console
• Apache HTTP Server
• Dell NetWorker
• IBM Rational Build Forge

Productinfo

Type

• Web Server

Vendor

• Oracle

Name

• HTTP Server

Version

• 12.2.1.4.0

License

• commercial

Website

• Vendor: https://www.oracle.com

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion