Apache HTTPD out of date or EOL'd

Follow

Background

A computer system or application needs to be patched regularly to keep it secure against vulnerabilities.  Patches are typically provided by the OS vendor, and are typically applied using a standard utility such as "apt" or "yum" or "dnf".  Unfortunately, operating system and application vendors only provide patches for a certain period of time.  Beyond that, the software is said to be "end of life" (EOL), meaning that security patches may no longer be provided through normal channels.

In the case of Apache HTTPD, the 2.2.x versions of reached EOL in July 2017.  Some Linux suppliers (RedHat and CentOS for example) are continuing to support HTTPD 2.2.x beyond its end of life.  This applies to NeCTAR CentOS 6 instances.

You can also get into trouble with a non-EOL'ed versions of Apache HTTPD if you do not applying vendor security patches.

Risks

If your are running a NeCTAR instance with an unpatched version of Apache HTTPD, your website is potentially vulnerable to security vulnerabilities.  These could lead to your website being taken over, and used for various illegal and/or undesirable purposes.

Detection

Our vulnerability scanner detects a server's Apache HTTPD version by examining specific header fields in HTTP / HTTPS responses from the server. Unfortunately, the reported version numbers are not always a reliable indication of the server's vulnerability.  When security fixes are backported into older versions of HTTPD, the vendors typically don't change the HTTPD version number.  For example, a freshly installed / updated HTTPD 2.2.15 installation on CentOS 6 will include recently backported patches. Thus, when our scanner detects an installation of Apache HTTPD 2.2.15, it is unclear if it is vulnerable or not.

In short: this alert could be a false alarm if your are running a CentOS 6 instance.

To be sure, you need to login to the instance and use the "apt", "yum" or "dnf" command to query your system's installed package version for HTTPD. (The package name is "httpd" on CentOS and Scientific Linux, and "apache2" on Ubuntu and Debian.)

Then you need to check via other sources to see if the installed HTTPD package is secure.  Note that:

  • More specific version indications are available from the package manager; e.g. the package version, release timestamp.
  • You can typically get clues about which vulnerabilities have been fixed by looking at the package changelog for the installed package/

Remedies

First you should find out which version of HTTPD you are actually running; see above.  Once you have determined that there is a problem, there are a couple of approaches to dealing with it:

  • If you are already running Apache HTTPD 2.4.x, then make sure that you have applied the vendor security patches.
  • If you are running Apache HTTPD 2.2.x on CentOS 7, Ubuntu and Debian, then you should upgrade to a recent 2.4.x release. Unfortunately, with CentOS 6, HTTPD 2.2.15 is the most recent version available from the vendor repositories, so upgrading from an official repository is not an option.
  • If you are using 2.2.x on CentOS 6, keeping your system up-to-date using "yum" should be sufficient. This is contingent on the the CentOS and RHEL continuing to backport patches into the end-of-lifed 2.2.15 version.

Note: applying all vendor security patches is always advisable.

Have more questions? Submit a request

Comments

Powered by Zendesk