SB2025090206 - Red Hat Enterprise Linux 7 Extended Lifecycle Support update for httpd

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025090206

SB2025090206 - Red Hat Enterprise Linux 7 Extended Lifecycle Support update for httpd

Published: September 2, 2025

Security Bulletin ID SB2025090206
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Improper Encoding or Escaping of Output (CVE-ID: CVE-2024-47252)

The vulnerability allows a remote attacker to manipulate data in log files. 

The vulnerability exists due to improper input validation in mod_ssl. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files. A remote attacker can manipulate contents of log files. 


2) Cryptographic issues (CVE-ID: CVE-2025-49812)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to he way certain mod_ssl configurations handle TLS upgrades. A remote attacker can launch an HTTP desynchronisation attack, which allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.

Note, only configurations using "SSLEngine optional" to enable TLS upgrades are affected.


Remediation

Install update from vendor's website.

References