In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.
Only configurations using SSLEngine optional to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Http_server | Apache | * | 2.4.64 (excluding) |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-httpd-0:2.4.62-8.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_http2-0:2.0.29-5.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_jk-0:1.2.50-9.redhat_1.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_md-1:2.4.28-10.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_proxy_cluster-0:1.3.22-4.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_security-0:2.9.6-11.el8jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-httpd-0:2.4.62-8.el7jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_http2-0:2.0.29-5.el7jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_jk-0:1.2.50-9.redhat_1.el7jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_md-1:2.4.28-10.el7jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_proxy_cluster-0:1.3.22-4.el7jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_security-0:2.9.6-11.el7jbcs | * |
| Red Hat Enterprise Linux 10 | RedHat | httpd-0:2.4.63-1.el10_0.2 | * |
| Red Hat Enterprise Linux 6 Extended Lifecycle Support - EXTENSION | RedHat | httpd-0:2.2.15-71.el6_10.1 | * |
| Red Hat Enterprise Linux 7.7 Advanced Update Support | RedHat | httpd-0:2.4.6-90.el7_7.6 | * |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | RedHat | httpd-0:2.4.6-99.el7_9.6 | * |
| Red Hat Enterprise Linux 8 | RedHat | httpd:2.4-8100020250728150834.489197e6 | * |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | RedHat | httpd:2.4-8020020250827160659.4cda2c84 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | httpd:2.4-8040020250827161824.522a0ee4 | * |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | RedHat | httpd:2.4-8040020250827161824.522a0ee4 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | httpd:2.4-8060020250827162806.ad008a3a | * |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | httpd:2.4-8060020250827162806.ad008a3a | * |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | httpd:2.4-8060020250827162806.ad008a3a | * |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | RedHat | httpd:2.4-8080020250827163339.63b34585 | * |
| Red Hat Enterprise Linux 9 | RedHat | httpd-0:2.4.62-4.el9_6.4 | * |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | RedHat | httpd-0:2.4.51-7.el9_0.10 | * |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | RedHat | httpd-0:2.4.53-11.el9_2.13 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | httpd-0:2.4.57-11.el9_4.3 | * |
| Red Hat JBoss Core Services 2.4.62.SP1 | RedHat | httpd | * |
| Apache2 | Ubuntu | devel | * |
| Apache2 | Ubuntu | esm-infra/bionic | * |
| Apache2 | Ubuntu | esm-infra/focal | * |
| Apache2 | Ubuntu | esm-infra/xenial | * |
| Apache2 | Ubuntu | jammy | * |
| Apache2 | Ubuntu | noble | * |
| Apache2 | Ubuntu | plucky | * |
| Apache2 | Ubuntu | upstream | * |