In March 2022, apache.org disclosed  an HTTPD vulnerability that may expose the server to HTTP request smuggling when the HTTP daemon does not close an inbound connection following errors encountered when attempting to discard an HTTP request body. This vulnerability may affect the GUI and AXAPI management plane services of ACOS devices and is addressed in this document.
|httpd: Errors encountered during the discarding of request body lead to HTTP request smuggling 
The table below indicates releases of ACOS exposed to this vulnerability and ACOS releases that address them. ACOS release families not indicated below are unaffected by these vulnerabilities.
Customers using affected ACOS releases can overcome vulnerability exposures by updating to the indicated resolved release. If the table does not list a corresponding resolved or unaffected release, then no ACOS release update is currently available.
Releases Resolved or Unaffected
5.0.0 - 5.2.1-P5
5.0.1 TPS - 5.0.2-P1 TPS
4.1.4-GR1 - 4.1.4-GR1-P10
3.2.3-P1 - 3.2.5-P6
Workarounds and Mitigations
The following table shares brief descriptions for the vulnerabilities addressed in this document.
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling.
© Copyright 2022 A10 Networks, Inc. All Rights Reserved.
This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability, non-infringement or fitness for a particular use. Your use of the information in this document or materials linked from this document is at your own risk. A10 Networks, Inc. reserves the right to change or update the information in this document at any time.