This advisory covers a security update for Red Hat JBoss Core Services Apache HTTP Server 2.4.57 SP5, which fixes six vulnerabilities: CVE-2024-39573 (potential SSRF in mod_rewrite), CVE-2024-38477 (null pointer dereference in mod_proxy), CVE-2024-38475 (improper escaping in mod_rewrite), CVE-2024-38473 (encoding problem in mod_proxy), CVE-2024-38474 (substitution encoding issue in mod_rewrite), and CVE-2024-38476 (security issues from malicious or exploitable backend response headers). These issues affect the mod_rewrite and mod_proxy modules of the Apache HTTP Server packaged with Red Hat JBoss Core Services. The update is a replacement for the previous service pack and includes bug fixes and enhancements. No explicit CVSS scores are provided in the advisory, but Red Hat rates the impact as important (high).

The vulnerabilities could allow attackers to exploit server-side request forgery (SSRF), cause null pointer dereferences leading to potential denial of service, and exploit improper escaping and encoding issues that may lead to security bypass or injection attacks. Additionally, malicious backend application response headers could be leveraged to compromise security. These issues affect the Apache HTTP Server components used in Red Hat JBoss Core Services middleware products, potentially impacting the confidentiality, integrity, or availability of affected systems.

Red Hat has released Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 5 as a security update that addresses these vulnerabilities. Users should apply this update to remediate the issues. Before applying the update, it is recommended to back up existing installations, including applications, configuration files, and databases. No indication is given that no action is required or that the issues are already mitigated without update. Patch status is confirmed by the vendor advisory indicating the update is available.