Apache mod_proxy_cluster CRLF Injection Vulnerability Allowing Response Corruption

A CRLF injection vulnerability has been identified in the Apache mod_proxy_cluster module, specifically within the decodeenc() function. This flaw allows remote attackers to bypass input validation by injecting CRLF sequences into the cluster configuration. As a result, the response body of INFO endpoint responses can be corrupted. Exploitation of this vulnerability requires network access to the MCMP protocol port, typically 6666, but does not require authentication.

Impact

Exploitation of this vulnerability leads to unauthorized modification of response bodies in the INFO endpoint, allowing for potential misinformation or disruption of service.

Remediation

It is recommended to restrict network access to the MCMP protocol port (usually 6666) for systems running Apache mod_proxy_cluster. Configure firewall rules to allow inbound connections to this port only from trusted internal or management networks. A service reload or restart may be necessary for firewall changes to take effect.