Problem

There is a new Apache version (2.4.54) which fixes a couple of CVEs, but VA Server 5.2 UP202206 was delivered with Apache version 2.4.53.

Resolution

VA server is not affected by these CVEs found in Apache version 2.4.53:

CVE-2022-26377 (moderate: mod_proxy_ajp: Possible request smuggling)

We don’t deliver module mod_proxy_ajp with VA server.

CVE-2022-28330: low: read beyond bounds in mod_isapi

We don’t deliver module mod_isapi with VA server.

CVE-2022-29404: low: Denial of service in mod_lua r:parsebody

CVE-2022-30556: low: Information Disclosure in mod_lua with websockets

We don’t deliver module mod_lua with VA server.

CVE-2022-30522: low: mod_sed denial of service

We don’t deliver module mod_sed with VA server.

CVE-2022-31813: low: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism

We don’t deliver module mod_proxy with VA server.

CVE-2022-28614: low: read beyond bounds via ap_rwrite()

and

CVE-2022-28615: low: Read beyond bounds in ap_strcmp_match()

We aren't impacted by any of these. We don't use or even ship any of the impacted modules and for the two internal lows CVE-2022-28614 and CVE-2022-28615 we don't ship any third-party modules or Lua scripts to be susceptible.

The Apache version will be updated in 5.2 UP202301