Apache 2

tenable:172186 is a bundle check for Apache HTTP Server versions earlier than 2.4.56, primarily covering CVE-2023-25690 and CVE-2023-27522. The worst issue, CVE-2023-25690, is not 'all Apache is instantly RCE'; it is request smuggling in specific mod_proxy deployments where RewriteRule or ProxyPassMatch captures attacker-controlled URL data and reinserts it into the proxied request. CVE-2023-27522 is narrower still: it needs mod_proxy_uwsgi and a backend that emits special characters in response headers.

Tenable's CRITICAL label inherits the 9.8 CVSS from CVE-2023-25690, but that overstates enterprise-wide urgency. Real exploitation requires an internet-reachable Apache reverse proxy, the right module mix, and a vulnerable rewrite/proxy pattern; that is a meaningful friction chain. This is still a serious edge-tier issue because it can punch through proxy trust boundaries and reach protected backend paths, but it is not a drop-everything universal Apache emergency.

Why this verdict

• Downgrade for configuration friction: exploitable CVE-2023-25690 needs mod_proxy plus a specific unsafe RewriteRule/ProxyPassMatch pattern. That is a major step down from 'any Apache before 2.4.56 is trivially owned.'
• Not direct RCE from the advisory: the practical outcomes are request smuggling, ACL bypass, unintended backend requests, and cache poisoning. Serious, yes; universal server takeover, no.
• Population narrowing compounds: CVE-2023-27522 needs mod_proxy_uwsgi, which is a much smaller deployment slice than generic Apache. The bundle's worst-case story does not represent the average exposed host.
• Still high because edge trust boundaries matter: when Apache fronts internal apps, successful smuggling can bypass the exact controls defenders rely on at the perimeter. That blast radius amplifier keeps this above MEDIUM.
• PoC and exploit tooling exist: public GitHub and Packet Storm material lower attacker cost once the right target is found, so this is not just theoretical lab-grade math.

Why not higher?

There is no evidence in the sources reviewed that this is a universally exploitable, one-request compromise across all Apache servers below 2.4.56. The vulnerability hinges on optional modules and specific proxy rewrite patterns, and the impact is usually at the HTTP trust-boundary layer rather than immediate code execution on the host.

Why not lower?

The edge exposure matters. If you *do* have Apache reverse proxies fronting privileged internal routes, request smuggling can subvert access-control assumptions and reach high-value backend functions from the public internet, and public PoCs make target validation practical for attackers.

1. Inventory Apache reverse proxies first — Within 30 days, identify every Apache host acting as a reverse proxy or application gateway, then separate them from plain web-serving hosts. This trims noise fast and focuses mitigation where the bug can actually be reached.
2. Hunt unsafe rewrite patterns — Within 30 days, review configs for RewriteRule or ProxyPassMatch that capture broad user input and reinsert it into proxied URLs, especially with [P]. Those patterns are the real exploit hinge for CVE-2023-25690.
3. Disable unused proxy modules — Within 30 days, unload mod_proxy_* modules you do not need, especially mod_proxy_uwsgi. If the vulnerable module path is gone, the attack path collapses before patching is complete.
4. Constrain backend reachability — Within 30 days, enforce that Apache front ends can only reach approved backend paths and ports. This limits the value of a smuggled internal request if one slips through.
5. Add request-smuggling detection at the edge — Within 30 days, tune WAF/NGFW/IDS rules for CRLF, desync, and malformed request-target patterns associated with HTTP smuggling. This will not replace patching, but it can cut exploit reliability while remediation is underway.

Run this on the target Apache host as a local admin/root-equivalent so it can read server config and invoke apachectl/httpd. Example: sudo bash ./check_apache_2456_smuggling.sh. It inspects version, loaded modules, and common config roots, then prints VULNERABLE, PATCHED, or UNKNOWN.

#!/usr/bin/env bash
# check_apache_2456_smuggling.sh
# Purpose: Assess likely exposure to Apache httpd < 2.4.56 issues covered by Tenable plugin 172186
# Exit codes: 0 PATCHED, 1 VULNERABLE, 2 UNKNOWN

set -u

APACHECTL=""
for c in apachectl apache2ctl httpd; do
  if command -v "$c" >/dev/null 2>&1; then
    APACHECTL="$(command -v "$c")"
    break
  fi
done

if [ -z "$APACHECTL" ]; then
  echo "UNKNOWN: apachectl/apache2ctl/httpd not found"
  exit 2
fi

VER_OUT="$($APACHECTL -v 2>/dev/null | head -n 1)"
VER="$(echo "$VER_OUT" | sed -n 's/.*Apache\/\([0-9][0-9.]*\).*/\1/p')"
if [ -z "$VER" ]; then
  echo "UNKNOWN: could not determine Apache version"
  exit 2
fi

ver_lt() {
  # returns 0 if $1 < $2
  [ "$(printf '%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ] && return 1
  [ "$1" = "$2" ] && return 1
  return 0
}

if ! ver_lt "$VER" "2.4.56"; then
  echo "PATCHED: Apache version $VER is >= 2.4.56"
  exit 0
fi

MODS="$($APACHECTL -M 2>/dev/null || true)"
HAS_PROXY=0
HAS_REWRITE=0
HAS_UWSGI=0

echo "$MODS" | grep -Eq 'proxy_module|proxy_http_module|proxy_fcgi_module|proxy_ajp_module|proxy_wstunnel_module' && HAS_PROXY=1
echo "$MODS" | grep -Eq 'rewrite_module' && HAS_REWRITE=1
echo "$MODS" | grep -Eq 'proxy_uwsgi_module' && HAS_UWSGI=1

CONF_ROOTS="/etc/httpd /etc/apache2 /usr/local/apache2/conf"
CONF_FILES=""
for d in $CONF_ROOTS; do
  if [ -d "$d" ]; then
    CONF_FILES="$CONF_FILES $(find "$d" -type f \( -name '*.conf' -o -name 'httpd.conf' -o -name 'apache2.conf' \) 2>/dev/null)"
  fi
done

if [ -z "$CONF_FILES" ]; then
  if [ "$HAS_UWSGI" -eq 1 ]; then
    echo "VULNERABLE: Apache $VER < 2.4.56 and mod_proxy_uwsgi is loaded (config files not fully inspected)"
    exit 1
  fi
  echo "UNKNOWN: Apache $VER < 2.4.56 but no readable config files found"
  exit 2
fi

# Heuristic checks for risky config patterns tied to CVE-2023-25690
RISK_REWRITE=0
RISK_PROXYPASSMATCH=0

# RewriteRule with [P] and a backreference ($1 etc.)
if grep -RIEq '^[[:space:]]*RewriteRule[[:space:]].*\$[0-9].*\[[^]]*P[^]]*\]' $CONF_FILES 2>/dev/null; then
  RISK_REWRITE=1
fi

# ProxyPassMatch with backreference in target
if grep -RIEq '^[[:space:]]*ProxyPassMatch[[:space:]].*\$[0-9]' $CONF_FILES 2>/dev/null; then
  RISK_PROXYPASSMATCH=1
fi

if [ "$HAS_UWSGI" -eq 1 ]; then
  echo "VULNERABLE: Apache $VER < 2.4.56 and mod_proxy_uwsgi is loaded (CVE-2023-27522 path present)"
  exit 1
fi

if [ "$HAS_PROXY" -eq 1 ] && [ "$HAS_REWRITE" -eq 1 ] && { [ "$RISK_REWRITE" -eq 1 ] || [ "$RISK_PROXYPASSMATCH" -eq 1 ]; }; then
  echo "VULNERABLE: Apache $VER < 2.4.56 with proxy+rewrite and likely unsafe RewriteRule/ProxyPassMatch pattern"
  exit 1
fi

if [ "$HAS_PROXY" -eq 1 ] || [ "$HAS_REWRITE" -eq 1 ]; then
  echo "UNKNOWN: Apache $VER < 2.4.56, but no obvious exploitable proxy rewrite pattern found by heuristic scan"
  exit 2
fi

echo "UNKNOWN: Apache $VER < 2.4.56, but affected modules/patterns were not confirmed"
exit 2

Sources

1. Tenable plugin 172186
2. Apache HTTP Server 2.4 vulnerabilities
3. NVD CVE-2023-25690
4. NVD CVE-2023-27522
5. Debian LTS advisory DLA-3401-1
6. GitHub PoC for CVE-2023-25690
7. CISA Known Exploited Vulnerabilities Catalog
8. Docker Scout CVE-2023-25690 record