Our security identified a problem with older versions of Apache and wants me to upgrade to v2.2.15 or higher...
I took this opportunity to upgrade Networker to v7.6.SP1 (UNIX), but this only brought Apache (httpd) to v2.2.14...
How do I get it to meet our security needs?
All security vulnerabilities for products (includes EMC, open source, embedded 3rd party) are reported to our product development teams through our Product Security Office. The NetWorker team responded to a number of Apache related vulnerabilities. We have quite a few responses detailed in at least one knowledge base article (esg111120).
Can you provide any details on the specific vulnerability that is in question?
There were a series of vulnerabilities (CVE-2009-3720, CVE-2009-3560, CVE-2009-1623 CVE-2009-2068, CVE-2009-1452) published against Apache in the last year with the recommendation that an upgrade to Apache 2.2.15 be made. At this time, NetWorker is not exposed to any of these published vulnerabilities by our embedding of Apache Version 2.2.14 that we ship with NetWorker 7.5.3, or 7.6.1 and up. The reason for this statement is that the affected modules of Apache noted in the vulnerabilities are not enabled by NetWorker (at least in the above stated versions). We disable Apache mod_isapi which is where these vulnerabilities were reported.
If you happen to be on an earlier versions of NetWorker, you can follow the guidelines published in (esg111120) to disable mod_isapi. This precludes the need to upgrade to Apache 2.2.15. Or upgrade to NetWorker 7.5.3, 7.5.4 or 7.6.1. Doing either option saves an upgrade to Apache 2.2.15.
Hope this helps!
It's Powerlink fun!
What are the Apache Security Vulnerabilities and the potential impact to NetWorker Management Console (NMC)?
NetWorker Management Console (NMC) currently embeds the Apache 2.2 httpd server software on Windows, Solaris, Linux, AIX and HP-UX.
NetWorker Version Apache httpd version embedded Operating System
7.5 2.2.8 HP-UX
7.5 SP1 2.2.8 HP-UX
7.5 2.2.9 Windows, Solaris, Linux, AIX
7.5 SP1 2.2.9 Windows, Solaris, Linux, AIX
7.5 SP2, SP3 2.2.9 Windows, Linux, AIX and HP-UX
7.5 SP2, SP3 2.2.14 Solaris
7.6 2.2.9 Windows, Linux, AIX and HP-UX
7.6 2.2.14 Solaris
7.6 SP1 2.2.13 Windows, Linux, AIX and HP-UX
7.6 SP1 2.2.14 Solaris
The following security vunerability list identifies each Apache server release that is embedded with NMC and includes statements that detail the potential impact of each vunerabiliy to NMC.
For more imformation about each vunerability, refer to the Apache web site at: http://httpd.apache.org/security/vulnerabilities_22.html
Apache Version: 2.2.8
Apache Version: 2.2.9
Apache Version: 2.2.14
NMC version: 7.5 SP2, 7.5 SP3, 7.6
Operating Systems: Solaris