Unsolved
This post is more than 5 years old
17 Posts
0
6557
Apache version in Networker
Our security identified a problem with older versions of Apache and wants me to upgrade to v2.2.15 or higher...
I took this opportunity to upgrade Networker to v7.6.SP1 (UNIX), but this only brought Apache (httpd) to v2.2.14...
How do I get it to meet our security needs?
AllanW1
334 Posts
0
December 9th, 2010 07:00
Hi Tom,
All security vulnerabilities for products (includes EMC, open source, embedded 3rd party) are reported to our product development teams through our Product Security Office. The NetWorker team responded to a number of Apache related vulnerabilities. We have quite a few responses detailed in at least one knowledge base article (esg111120).
Can you provide any details on the specific vulnerability that is in question?
There were a series of vulnerabilities (CVE-2009-3720, CVE-2009-3560, CVE-2009-1623 CVE-2009-2068, CVE-2009-1452) published against Apache in the last year with the recommendation that an upgrade to Apache 2.2.15 be made. At this time, NetWorker is not exposed to any of these published vulnerabilities by our embedding of Apache Version 2.2.14 that we ship with NetWorker 7.5.3, or 7.6.1 and up. The reason for this statement is that the affected modules of Apache noted in the vulnerabilities are not enabled by NetWorker (at least in the above stated versions). We disable Apache mod_isapi which is where these vulnerabilities were reported.
If you happen to be on an earlier versions of NetWorker, you can follow the guidelines published in (esg111120) to disable mod_isapi. This precludes the need to upgrade to Apache 2.2.15. Or upgrade to NetWorker 7.5.3, 7.5.4 or 7.6.1. Doing either option saves an upgrade to Apache 2.2.15.
Hope this helps!
Allan
AllanW1
334 Posts
0
December 9th, 2010 11:00
Yep- It is mentioned in esg111120. Here's the link for others so you dont have to search: esg111120.
NW8oldtimer
17 Posts
0
December 9th, 2010 11:00
Thanks for the info (and prompt response!)…
The vulnerability we are concerned with is CVE-2010-0434
AllanW1
334 Posts
0
December 9th, 2010 13:00
It's Powerlink fun!
Symptom
What are the Apache Security Vulnerabilities and the potential impact to NetWorker Management Console (NMC)?
Resolution
NetWorker Management Console (NMC) currently embeds the Apache 2.2 httpd server software on Windows, Solaris, Linux, AIX and HP-UX.
NetWorker Version Apache httpd version embedded Operating System
7.5 2.2.8 HP-UX
7.5 SP1 2.2.8 HP-UX
7.5 2.2.9 Windows, Solaris, Linux, AIX
7.5 SP1 2.2.9 Windows, Solaris, Linux, AIX
7.5 SP2, SP3 2.2.9 Windows, Linux, AIX and HP-UX
7.5 SP2, SP3 2.2.14 Solaris
7.6 2.2.9 Windows, Linux, AIX and HP-UX
7.6 2.2.14 Solaris
7.6 SP1 2.2.13 Windows, Linux, AIX and HP-UX
7.6 SP1 2.2.14 Solaris
The following security vunerability list identifies each Apache server release that is embedded with NMC and includes statements that detail the potential impact of each vunerabiliy to NMC.
For more imformation about each vunerability, refer to the Apache web site at: http://httpd.apache.org/security/vulnerabilities_22.html
Apache Version: 2.2.8
Apache Version: 2.2.9
Apache Version: 2.2.14
NMC version: 7.5 SP2, 7.5 SP3, 7.6
Operating Systems: Solaris
NW8oldtimer
17 Posts
0
December 9th, 2010 13:00
Can’t seem to open that site or document…
NW8oldtimer
17 Posts
0
December 9th, 2010 13:00
Never mind – I got it!
Thanks!!