amazon-linux-2023 icon indicating copy to clipboard operation
amazon-linux-2023 copied to clipboard
verified publisher icon amazonlinux

CVE-2025-23048 followup with loadbalancer

Open bastien-roucaries opened this issue 4 months ago • 5 comments

Hi,

AWS load balancer are affected by a followup of CVE-2025-23048,

See https://salsa.debian.org/apache-team/apache2/-/blob/0874e522244079e8436b576ac7ae0527f2ce97f1/debian/apache2.NEWS

bastien-roucaries avatar Sep 02 '25 21:09 bastien-roucaries

Yes, @bastien-roucaries , the Amazon Linux team is aware about the issue, as well as AWS ALB team.

Your note from July 25, 2025, was very helpful and accurately explained the situation.

Unfortunately, Amazon Linux cannot do much about the issue between a certain CVE resolution on the Apache HTTP Server side and the ALB's behavior. As you may know, there is no one solution or workaround that fits all cases; instead, there are a number of possible workarounds, and the best one depends on the specific case.

It seems, the best advice in this case is to go to the Apache bug tracker (ASF Bugzilla), read the discussions, find workarounds, and choose the one that works best for each circumstance. Amazon Linux will post information about this in the release notes for the next regular release (AL2023 and AL2).

The link to the bug tracker is https://bz.apache.org/bugzilla/show_bug.cgi?id=69743

Note that an ASF Bugzilla is only accessible to authenticated users and having an account is required, but it's free and quick to create.

alexey-tsvetnov avatar Sep 06 '25 05:09 alexey-tsvetnov

Hi,

I do said what we could do something. I said that minimally we should warn the users and document the behavior like I have.

I alsa said that I do not know the Public relation impact but finding on forum that using HTTP instead of HTTPS it the way to go is bad.

the quick and dirty first aid stuff is to use different port on backend.

Disabling HTTPS could only be done if you use ipsec with crypt AND AH (auth) and it need a good documentation of the custumers side.

I think the best course of action is:

  • on amazon linux a release note like I have done
  • on AWS side a press like entry on the knowledge database
  • check on AWS forum/bug entry lost custumers and redirect to knowledge database

For me it is for now more a public relation problem then a bug per se.

Fixing the problem will take time

@alexey-tsvetnov what do you think

bastien-roucaries avatar Sep 06 '25 09:09 bastien-roucaries

I personally think, and I'm sure a number of people share the same vision, the best and the easiest solution from the customers perspective is the one where the AWS Application Load Balancers implements the needed feature (relay SNI data to the target server) and it just works for everyone, with no workarounds.

Regarding the proposed course, I agree that informing people is the best approach. Amazon Linux, as I mentioned, will post an appropriate Release Note soon (I'll share the link here one it's public).

alexey-tsvetnov avatar Sep 06 '25 23:09 alexey-tsvetnov

@alexey-tsvetnov Yes fixing AWS load balancer is the way to go.

Could you please try to put something sensible here: https://repost.aws/questions/QUo5zj15ydRQS0yRLU8JKd2w/misdirected-request-the-client-needs-a-new-connection-for-this-request-as-the-requested-host-name-does-not-match-the-server-name-indication-sni-in-use-for-this-connection-apache-2-4-52

bastien-roucaries avatar Sep 08 '25 08:09 bastien-roucaries

@bastien-roucaries , Amazon Linux has posted Release Notes, which contain the note about a "side effect" of the CVE-2025-23048 mitigation:

  • AL2023: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.8.20250908.html
  • AL2: https://docs.aws.amazon.com/AL2/latest/relnotes/relnotes-20250818.html
Following the mitigation of CVE-2025-23048 in Apache httpd, some websites may experience
a "Misdirected Request" error, especially if a web server operates behind a load balancer.
Currently, this issue is particularly noticeable with Application Load Balancers, which, at this time,
do not relay SNI data to the target server. Apache httpd used to allowclients to send requests without setting
a server name in the SNI because the check wasn't accurate. However, this behavior changed
in version 2.4.64. There are several known solutions and/or workarounds depending on
the load balancer and its configuration.
For more information, see the [Apache bug tracker](https://bz.apache.org/bugzilla/show_bug.cgi?id=69743).

Could you please try to put something sensible here

I'm not completely sure that there is one clear location for clarifications about the problem. There are a number of places where discussions are taking place, but none of them are authoritative enough to be the obvious one. Ideally, I would expect to find a note on an official ALB site, but I could not find one. However, Amazon Linux has an official means of notifying users about important matters: the Release Notes. That's where we posted the note.

alexey-tsvetnov avatar Sep 11 '25 18:09 alexey-tsvetnov