Amazon Linux 2023: CVE-2024-38477: Important priority package update for httpd

Amazon Linux 2023: CVE-2024-38477: Important priority package update for httpd

Severity

8

CVSS

(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Published

07/01/2024

Created

02/14/2025

Added

02/14/2025

Modified

02/14/2025

Description

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue. A flaw was found in the mod_proxy module of httpd. A NULL pointer dereference can be triggered when processing a specially crafted HTTP request, causing the httpd server to crash, and resulting in a denial of service.

Solution(s)

• amazon-linux-2023-upgrade-httpd
• amazon-linux-2023-upgrade-httpd-core
• amazon-linux-2023-upgrade-httpd-core-debuginfo
• amazon-linux-2023-upgrade-httpd-debuginfo
• amazon-linux-2023-upgrade-httpd-debugsource
• amazon-linux-2023-upgrade-httpd-devel
• amazon-linux-2023-upgrade-httpd-filesystem
• amazon-linux-2023-upgrade-httpd-manual
• amazon-linux-2023-upgrade-httpd-tools
• amazon-linux-2023-upgrade-httpd-tools-debuginfo
• amazon-linux-2023-upgrade-mod-ldap
• amazon-linux-2023-upgrade-mod-ldap-debuginfo
• amazon-linux-2023-upgrade-mod-lua
• amazon-linux-2023-upgrade-mod-lua-debuginfo
• amazon-linux-2023-upgrade-mod-proxy-html
• amazon-linux-2023-upgrade-mod-proxy-html-debuginfo
• amazon-linux-2023-upgrade-mod-session
• amazon-linux-2023-upgrade-mod-session-debuginfo
• amazon-linux-2023-upgrade-mod-ssl
• amazon-linux-2023-upgrade-mod-ssl-debuginfo

References

• https://attackerkb.com/topics/cve-2024-38477
• CVE - 2024-38477
• https://alas.aws.amazon.com/AL2023/ALAS-2024-656.html