1

During the latest app scan in my project, CVE-2015-3183 has popped up. I have looked everywhere on the net for solution. Solution is simple: update your Apache.

The problem is we cannot update our Apache for next 3 to 4 months as it requires lots of permission in my company. Next app scan (PCI DSS) is due in 2 weeks and we need to pass it.

Please suggest any way using which I can solve this - HTTP request smuggling attack against chunked request parser (CVE-2015-3183 - without updating my Apache.

One of the answers that I got on Red-hat site is simple:

RewriteEngine on 
RewriteCond %{HTTP:Transfer-Encoding} ^chunked$ 
RewriteRule .* - [R=400]

Link to above solution

If above solution is correct, how can I be sure that my development team is not making any chunk requests? Or is any other solution available?

sanjeevnjha
  • 11
  • 1
  • 4
    If it takes 3-4 months to get permission to install a security update, your company's process is the _first_ thing you should fix. – Michael Hampton Dec 15 '15 at 19:18
  • "... how can I be sure that my development team is not making any chunk requests? Or is any other solution available?.." - talk to your development team? – Steffen Ullrich Dec 15 '15 at 21:09
  • What version of Apache do you have? This vulnerability is already 5 months old... – MonkeyZeus Dec 15 '15 at 21:30
  • @Steffan Thanks for your reply. Actually the question should be : Is under any circumstance in payment processing, developers make chunk requests for card processing or storage. MonkeyZeus --Apache Version is 2.2.27. Micheal -- I agree with you but I sit on client place with almost zero powers.So I have to go with flow. – sanjeevnjha Dec 16 '15 at 04:11

0 Answers0