Article - CS385055
Update Apache HTTP Server to latest available secure version 2.4.55 or later
Modified: 10-May-2023
Applies To
- FlexPLM 11.1 M020
- Windchill PDMLink 11.1 M020
- FlexPLM 12.0.2.0
- FlexPLM 12.1.2.0
- FlexPLM 12.0.3.0
- Windchill PDMLink 12.0.2.0
- Windchill PDMLink 12.1.1.0
- Windchill PDMLink 12.1.2.0
- Pro/INTRALINK 8.x + 11.1 to 11.2
- Windchill PDM Essentials 11.1
- Windchill ProjectLink 11.1 to 12.1
- PTC Arbortext Content Manager 11.1 to 12.1
- Windchill PDMLink 12.1
Description
- Three CVEs have been reported with severity levels of critical, high, and moderate on Apache version 2.4.54
- In which Windchill release Apache 2.4.56 will be available
- This article has been created to provide customers with information and recommended actions
- CVE-2022-36760
- Refer to article CS386653 for details regarding impact of Critical CVE for Windchill & FlexPLM
- CVE-2006-20001
- (Base CVSS Score – 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
- Possible denial of service (DoS) attack
- “mod_dav” module is not used or enabled in Windchill OOTB in the default Apache configuration
- This flaw only affects configurations with “mod_dav” loaded and configured. Also, if there is no WebDAV repository configured, the server is not affected, and no further mitigation is needed
- CVE-2022-37436
- Base CVSS Score: 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Possible HTTP splitting attack
- “mod_proxy” module is not used or enabled Windchill OOTB in the default Apache configuration
- CVE is applicable only when customer setup proxy mode with Apache
- CVE-2022-36760
This is a printer-friendly version of Article 385055 and may be out of date. For the latest version click CS385055