| Package | apache2 |
|---|---|
| Version | 2.4.59-1~deb10u5 (buster) |
| Related CVEs | CVE-2024-42516 CVE-2024-43204 CVE-2024-47252 CVE-2025-23048 CVE-2025-49630 CVE-2025-49812 CVE-2025-53020 |
Multiple vulnerabilities have been addressed in Apache, a widely used web server.
Please note that the fix for CVE-2025-23048, included in this ELA, may cause some SSL-enabled websites to encounter the error AH02032. Additional details are provided at the end of this advisory.
CVE-2024-42516
HTTP response splitting in the core of Apache HTTP Server allows an
attacker who can manipulate the Content-Type response headers of
applications hosted or proxied by the server can split the HTTP response
CVE-2024-43204
A SSRF (Server Side Request Forgery) was found in Apache HTTP Server
with mod_proxy loaded allows an attacker to
send outbound proxy requests to a URL controlled by the attacker.
This attack requires an unlikely configuration where mod_headers
is configured to modify the Content-Type request or response header with a
value provided in the HTTP request
CVE-2024-43394
A Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows
allows to potentially leak NTLM hashes to a malicious server via mod_rewrite
or apache expressions that pass unvalidated request input.
CVE-2024-47252
Insufficient escaping of user-supplied data in mod_ssl allows an untrusted
SSL/TLS client to insert escape characters into log files in some
configurations. In a logging configuration where CustomLog is used with
"%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as
SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and
unsanitized data provided by the client may appear in log files.
CVE-2025-23048
An access control bypass by trusted clients is possible using TLS 1.3
session resumption. Configurations are affected when mod_ssl is
configured for multiple virtual hosts, with each restricted to a
different set of trusted client certificates
(for example with a different SSLCACertificateFile/Path setting).
In such a case, a client trusted to access one virtual host may be able to
access another virtual host, if SSLStrictSNIVHostCheck is not enabled
in either virtual host.
CVE-2025-49630
In certain proxy configurations, a denial of service attack against
Apache HTTP Server can be triggered by untrusted clients causing
an assertion in mod_proxy_http2. Configurations affected are a
reverse proxy is configured for an HTTP/2 backend, with
ProxyPreserveHost set to "on".
CVE-2025-49812
In some mod_ssl configurations on Apache HTTP server, an HTTP
desynchronisation attack allows a man-in-the-middle attacker
to hijack an HTTP session via a TLS upgrade. Only configurations
using "SSLEngine optional" to enable TLS upgrades are affected.
Support for TLS upgrade was removed.
CVE-2025-53020
A late Release of Memory after Effective Lifetime vulnerability
was found in Apache HTTP Server.
Note that following the resolution of CVE-2025-23048, some SSL-enabled websites may begin encountering the error (AH02032):
Misdirected Request:
The client needs a new connection for this request as the
requested host name does not match the Server Name Indication
(SNI) in use for this connection.
This behavior is particularly noticeable with AWS Application Load Balancers. Although they support intelligent SNI handling, they do not (as of this writing) relay SNI data to the target server, resulting in failed connections when hostnames don’t align.
Without an SNI provided by the client, there is nothing httpd can do to determine which vhost/configuration should be used to provide the correct certificate (and TLS authentication eventually) whenever multiple vhosts listen on the same IP:port.
That’s because reading the HTTP Host header necessarily has to happen after the TLS handshake/auth/decryption (and later renegotiation is not an option with TLSv1.3).
So those connections fall back to the first vhost declared on the IP:port for the TLS handshake part, and if the request Host header finally matches a different vhost with a different TLS configuration it’s rejected with AH02032.
Before 2.4.64 (or this backport) the check was not accurate and would allow that, with security implications.
As a workaround, you may (after a risk analysis) generate a wildcard certificate. If you’re managing multiple domains, consolidate them into a single certificate by including each wildcard domain as an alias. Then, update the Apache configuration to reference this unified certificate.
Another possible workaround is to configure each virtual host to listen on a separate port. This approach avoids SNI-related issues by ensuring that each vhost is uniquely addressed through its own connection endpoint, thereby allowing distinct TLS configurations without ambiguity.
This error may also stem from a misconfigured HAProxy setup. In such cases, enabling dynamic SNI handling on HAProxy might be necessary to ensure that the correct hostname is passed through during the TLS handshake. After risk analysis, it could be done by using “sni req.hdr(Host)” directive.
This error may also be caused by a misconfigured Nginx proxy setup. In such scenarios, enabling Server Name Indication (SNI) when connecting to the backend may be necessary to ensure that the correct hostname is transmitted during the TLS handshake. After conducting a risk analysis, this can be achieved by configuring the “proxy_ssl_server_name on;” and “proxy_ssl_name $host;” directives.
For Debian 10 buster, these problems have been fixed in version 2.4.59-1~deb10u5.
We recommend that you upgrade your apache2 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.