CVE-2022-31813
📋 TL;DR
This vulnerability in Apache HTTP Server allows attackers to bypass IP-based authentication by manipulating the Connection header to prevent X-Forwarded-* headers from reaching origin servers. It affects Apache HTTP Server versions 2.4.53 and earlier when used as a reverse proxy. This enables unauthorized access to backend applications that rely on X-Forwarded-* headers for access control.
💻 Affected Systems
- Apache HTTP Server
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Complete bypass of IP-based authentication allowing unauthorized access to sensitive backend applications and data, potentially leading to data breaches or system compromise.
Likely Case
Unauthorized access to applications behind reverse proxies that use X-Forwarded-* headers for IP-based access control, potentially exposing internal applications.
If Mitigated
Limited impact if applications don't rely on X-Forwarded-* headers for authentication or if additional authentication layers exist.
🎯 Exploit Status
Exploitation requires sending specially crafted Connection headers to bypass X-Forwarded-* header forwarding.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache HTTP Server 2.4.54
Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html
Restart Required: Yes
Instructions:
1. Download Apache HTTP Server 2.4.54 or later from https://httpd.apache.org/download.cgi
2. Stop Apache service
3. Backup current configuration
4. Install new version
5. Restart Apache service
🔧 Temporary Workarounds
ModSecurity Rule
allBlock malicious Connection headers that could exploit this vulnerability
SecRule REQUEST_HEADERS:Connection "@rx (?:^|\s)x-forwarded-(?:for|host|proto|server)(?:$|\s)" "id:1001,phase:1,deny,status:400,msg:'CVE-2022-31813 exploit attempt'"
SecRule REQUEST_HEADERS:Connection "@rx (?:^|\s)proxy-(?:connection|authenticate|authorization)(?:$|\s)" "id:1002,phase:1,deny,status:400,msg:'CVE-2022-31813 exploit attempt'"
Rewrite Rule
allStrip problematic Connection headers at the reverse proxy
RequestHeader unset Connection early
🧯 If You Can't Patch
- Implement application-level authentication that doesn't rely solely on X-Forwarded-* headers
- Use network segmentation to isolate backend applications from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check Apache version with 'httpd -v' or 'apache2 -v' and verify if it's 2.4.53 or earlierCheck Version:
httpd -vVerify Fix Applied:
Verify Apache version is 2.4.54 or later and test that X-Forwarded-* headers are properly forwarded when Connection header contains hop-by-hop tokens📡 Detection & Monitoring
Log Indicators:
- Unusual Connection header patterns in access logs
- Failed authentication attempts from unexpected IPs in backend application logs
Network Indicators:
- HTTP requests with Connection headers containing X-Forwarded-* or Proxy-* tokens
- Unusual traffic patterns bypassing reverse proxy authentication
SIEM Query:
source="apache_access" AND (Connection="*X-Forwarded-*" OR Connection="*Proxy-*")🔗 References
- http://www.openwall.com/lists/oss-security/2022/06/08/8
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20220624-0005/
- http://www.openwall.com/lists/oss-security/2022/06/08/8
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20220624-0005/
