Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fhir-proxy | 3 apache vulnerabilities fixed in apache 2.4.59 #190

Closed
christiangierschner opened this issue Apr 15, 2024 · 1 comment · Fixed by #196
Closed

fhir-proxy | 3 apache vulnerabilities fixed in apache 2.4.59 #190

christiangierschner opened this issue Apr 15, 2024 · 1 comment · Fixed by #196
Assignees
@hhund
Labels
bug Something isn't working ready for release Issue is fixed and merged into develop, ready for next release
Milestone
1.5.1

Comments

@christiangierschner
Copy link

Hi,

there are 3 apache vulnerabilities fixed in apache 2.4.59

CVE-2023-38709
CVE-2024-24795
CVE-2024-27316

2.4.58 is used in fhir-proxy

Could you please update apache to 2.4.59 or offer a mitigation or give an vulnerablility assessment.

thanks..

Christian
@christiangierschner christiangierschner added bug report Something may not be working needs triage labels Apr 15, 2024
@hhund
Copy link
Member

hhund commented Apr 16, 2024

Hi @christiangierschner,

thanks for the report. Based on available information we do not need to release a new version immediately. But since information on how to exploit these vulnerabilities is currently sparse, we will likely create a maintenance release shortly anyways.

CVE-2023-38709

Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.

The fhir-proxy module only communicates with our fhir application server.

CVE-2024-24795

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.

The fhir application server does not send any HTTP response headers with user controlled data.

CVE-2024-27316

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

The http2 module is not loaded.

@hhund hhund added bug Something isn't working and removed bug report Something may not be working labels Apr 16, 2024
@hhund hhund added this to the 1.5.1 milestone Apr 16, 2024
@hhund hhund self-assigned this Apr 17, 2024
@hhund hhund added the ready for release Issue is fixed and merged into develop, ready for next release label Apr 17, 2024
@hhund hhund mentioned this issue Apr 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hhund hhund

Labels
bug Something isn't working ready for release Issue is fixed and merged into develop, ready for next release
Projects
None yet
Milestone
1.5.1
Development

Successfully merging a pull request may close this issue.

Release/1.5.1 datasharingframework/dsf
2 participants
@hhund @christiangierschner