CVE-2022-36760 Overview
CVE-2022-36760 is an HTTP Request Smuggling vulnerability in the mod_proxy_ajp module of Apache HTTP Server. This vulnerability arises from inconsistent interpretation of HTTP requests between the Apache HTTP Server and the backend AJP (Apache JServ Protocol) server. An attacker can exploit this flaw to smuggle malicious requests to the AJP server, potentially bypassing security controls, poisoning web caches, or hijacking other users' sessions.
Critical Impact
This vulnerability allows remote attackers to smuggle HTTP requests to backend AJP servers, potentially leading to unauthorized access, cache poisoning, session hijacking, or bypassing security controls in environments using Apache HTTP Server as a reverse proxy.
Affected Products
- Apache HTTP Server version 2.4.54 and prior versions
- Systems using mod_proxy_ajp for proxying to AJP backends
- Environments with Apache HTTP Server configured as a reverse proxy to Tomcat or similar AJP-enabled application servers
Discovery Timeline
- 2023-01-17 - CVE CVE-2022-36760 published to NVD
- 2025-04-04 - Last updated in NVD database
Technical Details for CVE-2022-36760
Vulnerability Analysis
HTTP Request Smuggling (CWE-444) occurs when front-end and back-end servers interpret HTTP request boundaries differently. In the case of CVE-2022-36760, the vulnerability exists in the mod_proxy_ajp module, which is responsible for forwarding requests to AJP-compliant backend servers such as Apache Tomcat.
The root cause lies in the inconsistent handling of HTTP request parsing between Apache HTTP Server and the AJP backend. When the two systems disagree on where one request ends and another begins, an attacker can craft specially formatted HTTP requests that appear as a single request to the front-end server but are interpreted as multiple requests by the backend AJP server.
This class of vulnerability can have severe consequences in production environments, particularly those relying on Apache HTTP Server as a security gateway or load balancer in front of application servers.
Root Cause
The vulnerability stems from CWE-444 (Inconsistent Interpretation of HTTP Requests). The mod_proxy_ajp module fails to properly normalize HTTP request boundaries when forwarding requests to AJP backends. This creates a desynchronization between how Apache HTTP Server parses incoming requests and how the AJP backend processes them.
Specific issues may include improper handling of Content-Length headers, Transfer-Encoding headers, or other HTTP request boundary indicators when translating HTTP to the AJP protocol.
Attack Vector
The attack is network-based and can be executed remotely without authentication. An attacker crafts a specially malformed HTTP request that exploits the parsing inconsistency between Apache HTTP Server and the AJP backend. The attack typically involves embedding a secondary request within the body or headers of a legitimate-looking request.
When successful, the smuggled request is processed by the backend AJP server as if it originated from a trusted source (the Apache proxy), potentially allowing the attacker to:
- Bypass access controls and authentication mechanisms
- Poison web caches with malicious content
- Hijack other users' requests or sessions
- Access internal resources not intended to be publicly accessible
The vulnerability affects environments where mod_proxy_ajp is enabled and configured to proxy requests to backend AJP servers. For detailed technical information, refer to the Apache HTTP Server security advisory.
Detection Methods for CVE-2022-36760
Indicators of Compromise
- Unusual or malformed HTTP requests in Apache access logs containing conflicting Content-Length or Transfer-Encoding headers
- Backend AJP server logs showing requests that don't correspond to legitimate frontend activity
- Evidence of cache poisoning with unexpected content being served to users
- Unauthorized access to restricted resources or endpoints on backend AJP servers
Detection Strategies
- Implement deep packet inspection to identify HTTP requests with ambiguous boundaries or conflicting length indicators
- Monitor for requests containing both Content-Length and Transfer-Encoding headers, which may indicate smuggling attempts
- Deploy web application firewalls (WAF) with HTTP Request Smuggling detection capabilities
- Enable detailed logging on both Apache HTTP Server and backend AJP servers to correlate request patterns
Monitoring Recommendations
- Configure Apache HTTP Server to log full request headers for forensic analysis
- Implement anomaly detection for HTTP traffic patterns, particularly requests with unusual header combinations
- Monitor backend AJP server access logs for requests that appear to originate from the proxy but lack corresponding frontend entries
- Set up alerting for requests targeting administrative or sensitive endpoints through the AJP proxy
How to Mitigate CVE-2022-36760
Immediate Actions Required
- Upgrade Apache HTTP Server to the latest patched version that addresses CVE-2022-36760
- If immediate patching is not possible, consider temporarily disabling mod_proxy_ajp if the AJP proxy functionality is not critical
- Review Apache HTTP Server configuration to ensure mod_proxy_ajp is only enabled where necessary
- Implement additional security controls such as WAF rules to detect and block HTTP Request Smuggling attempts
Patch Information
Apache has released security updates addressing this vulnerability. Administrators should upgrade to the latest version of Apache HTTP Server 2.4.x that includes the fix for CVE-2022-36760. Refer to the Apache HTTP Server security advisory for specific version information and download links.
Additional vendor guidance is available through the Gentoo GLSA 202309-01 security advisory for Gentoo Linux users.
Workarounds
- Disable mod_proxy_ajp if AJP proxying is not required for your deployment
- Restrict access to the AJP proxy to trusted networks only using firewall rules or Apache access controls
- Implement strict HTTP request validation at the network perimeter using a WAF or reverse proxy that normalizes requests before forwarding
- Consider switching to HTTP/HTTPS backend connections instead of AJP where feasible
# Disable mod_proxy_ajp if not needed (Debian/Ubuntu)
sudo a2dismod proxy_ajp
sudo systemctl restart apache2
# Restrict AJP proxy access in Apache configuration
# Add to your VirtualHost or Location block:
# <Location "/ajp-proxy">
# Require ip 10.0.0.0/8
# Require ip 192.168.0.0/16
# </Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
