Highlighted
FranSim
1 Copper

Is it possible to upgrade Networker's apache server?

Hi all,

Our security team has detected a vulnerability (Qualys) on our networker server:

Vulnerable version of Apche http server detected on port: 9000 over TCP .(OptionsBleed)

They are suggesting that we upgrade the apache tomcat version to get rid of the vulnerability, but it this possible? I couldn't find any results in this forum..

Networker console version: 8.2.4.4

Thanks in advance!

Tags (1)
0 Kudos
1 Reply
Jalli Raj
1 Nickel

Re: Is it possible to upgrade Networker's apache server?

Hello

Have you  seen this

504539 : ESA-2017-097: EMC NetWorker Security Update for Apache Tomcat https://support.emc.com/kb/504539

Apache is used for hosting a landing site for a Java application that opens the NetWorker Management Console (NMC) GUI authentication at startup. After NMC is launched, Apache is no longer needed or used and NetWorker authentication takes over. Apache is not used by the Client, Storage Node, or NetWorker Server after this point.

EMC provides a locked down apache server that has as few vulnerabilities as possible. EMC keeps the version of Apache fairly recent with each major release of NetWorker. Beyond this, if you have specific security concerns, you could go through special avenues like Professional Services.

The NetWorker Management Console server uses Embedded Apache server software for only two things:

  1. Download of the Console jar files.
  2. Startup of the Console server daemon or service.

This is a custom embedded Apache software and upgrading is not recommended. It is upgraded with the NetWorker hotfix as seen here:

  • NMC version 8.0.0.2.Build.172 has Apache 2.2.21
  • NMC version 8.1.0.1 Build 236 has Apache 2.2.25
  • NMC version 8.2.1.0 Build 681 has Apache 2.2.27
  • NMC version 9.0.x has Apache 2.4.16.0
  • NMC version 9.1.x has Apache 2.4.16.0
  • NMC version 9.2.x will have Apache 2.4.25.0

To find your version on Linux/UNIX you can go to the apache/bin folder or run:[root@rhatx64]# cd /opt/lgtonmc/apache/bin
[root@ rhatx64]# ./httpd -v
Server version: Apache/2.2.25 (Unix)
To find your version on Windows you can go to the apache/bin:

  • Go to C:\Program Files\EMC NetWorker\Management\GST\apache\bin
  • And hover over the  httpd  and it will tell you the version, as seen here:


Apache version in Windows

In NetWorker 9.0 we use both, Apache HTTPD and Apache Tomcat.  Apache HTTPD is used by the NMC server (gstd daemon).  Apache Tomcat is used by the NetWorker Authentication service (AuthC

0 Kudos