Article - CS386653
Potential Impact of Apache HTTP Server (2.4 to 2.4.54) security vulnerability (CVE-2022-36760) in Windchill PDMLink & FlexPLM
Modified: 03-May-2023
Applies To
- FlexPLM 11.1 M020
- FlexPLM 12.0.2.0
- FlexPLM 12.1.2.0
- FlexPLM 12.0.3.0
- Windchill PDMLink 12.0.2.0
- Windchill PDMLink 12.1.1.0
- Windchill PDMLink 12.1.2.0
- Pro/INTRALINK 8.x + 11.1 to 11.2
- Windchill PDM Essentials 11.1
- Windchill ProjectLink 11.1 to 12.1
- PTC Arbortext Content Manager 11.1 to 12.1
- Windchill PDMLink 11.0
Description
- A critical CVE-2022-36760 is reported on Apache HTTP Server version 2.4 to 2.4.54
- CVE-2022-36760
- Base CVSS Score (NVD) – 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
- Possible HTTP request smuggling
- CWE 444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
- Potential impact of this issue in Windchill & FlexPLM is subject to specific configurations (Refer to Resolution section for more details)
- This article has been created to provide information and recommended actions
- Refer to PTC article CS385055 for details regarding additional vulnerabilities also fixed in Apache HTTPServer 2.4.55
- Refer to Apache website reference for more details : Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project
- Does Windchill system use mod_proxy_ajp? Is it possible to disable AJP Connector
This is a printer-friendly version of Article 386653 and may be out of date. For the latest version click CS386653