The Apache Software Foundation has announced the release of Apache HTTP Server version 2.4.64, a significant update that addresses eight security vulnerabilities affecting versions from 2.4.0 through 2.4.63. This release is crucial for maintaining server security and performance, as it resolves issues related to HTTP response splitting, server-side request forgery (SSRF), and denial of service (DoS) vulnerabilities.
Key Highlights:
1. Comprehensive Security Fixes: The update rectifies eight vulnerabilities across all 2.4.x versions, including critical flaws like HTTP response splitting and SSRF.
2. SSL/TLS Enhancements: Patches have been applied to resolve issues such as access control bypass, TLS upgrade hijacking, and log injection vulnerabilities.
3. SSRF Vulnerability Mitigation: The release addresses SSRF vulnerabilities that could be exploited through mod_proxy and potential NTLM hash leakage via UNC paths on Windows systems.
4. DoS Vulnerability Resolution: Fixes have been implemented for HTTP/2 DoS vulnerabilities related to proxy configurations and memory exhaustion, necessitating immediate upgrades.
Detailed Overview of Addressed Vulnerabilities:
1. HTTP Response Splitting Vulnerability (CVE-2024-42516): This moderate-severity flaw in the core of Apache HTTP Server allows attackers to manipulate Content-Type response headers, leading to HTTP response splitting. This issue was previously identified as CVE-2023-38709, but the patch in version 2.4.59 was insufficient, necessitating this update.
2. SSL/TLS-Related Vulnerabilities:
– Access Control Bypass (CVE-2025-23048): Affects mod_ssl configurations in versions 2.4.35 through 2.4.63, enabling trusted clients to bypass access controls using TLS 1.3 session resumption in multi-virtual host environments with varying client certificate configurations.
– TLS Upgrade Hijacking (CVE-2025-49812): In configurations using SSLEngine optional for TLS upgrades, this vulnerability allows man-in-the-middle attackers to hijack HTTP sessions via TLS upgrade attacks.
– Log Injection (CVE-2024-47252): Involves insufficient escaping of user-supplied data in mod_ssl, allowing untrusted SSL/TLS clients to insert escape characters into log files when CustomLog configurations use %{varname}x or %{varname}c to log mod_ssl variables like SSL_TLS_SNI.
3. Server-Side Request Forgery (SSRF) Vulnerabilities:
– SSRF via mod_headers (CVE-2024-43204): Affects configurations with mod_proxy loaded and mod_headers set to modify Content-Type headers using HTTP request values. This low-severity vulnerability allows attackers to send outbound proxy requests to attacker-controlled URLs, though it requires an unlikely configuration scenario.
– SSRF on Windows via UNC Paths (CVE-2024-43394): Specifically targets Windows installations, enabling potential NTLM hash leakage to malicious servers through mod_rewrite or Apache expressions that process unvalidated request input via UNC paths. The Apache HTTP Server Project plans to implement stricter standards for accepting future SSRF vulnerability reports regarding UNC paths.
4. Denial of Service (DoS) and Performance Issues:
– DoS in mod_proxy_http2 (CVE-2025-49630): Affects reverse proxy configurations for HTTP/2 backends with ProxyPreserveHost enabled, allowing untrusted clients to trigger assertions in mod_proxy_http2, leading to service disruption.
– Memory-Related DoS in HTTP/2 (CVE-2025-53020): Affects versions 2.4.17 through 2.4.63, involving late release of memory after its effective lifetime, potentially leading to memory exhaustion attacks.
Recommendations:
The Apache Software Foundation strongly advises all users running affected versions to upgrade to Apache HTTP Server 2.4.64 immediately. System administrators should prioritize this update, especially in production environments handling sensitive data or operating in high-security contexts, to mitigate potential exploitation of these vulnerabilities.
