Apache 2.4.59 vulnerabilities

rijadp · August 22, 2024, 11:09am

Hello,

I’m using the newest UCS 5.0-8 errata1106. Apache2 version is 2.4.59 which have some known vulnerabilities:

CVE-2024-36387
CVE-2024-38472
CVE-2024-38473
CVE-2024-38474
CVE-2024-38475
CVE-2024-38476
CVE-2024-38477
CVE-2024-39573

How can I be sure if my UCS is affected by those vulnerabilities?

I tried to check on Information on source package apache2 , but there are included only 11 and 12 debian versions. UCS running on debian 10.

apache2 2.4.59-1~deb10u1A~5.0.8.202406031541

When can we expect a new version of UCS with a new Apache version?

Thank you!

dzidek23 · August 27, 2024, 7:58am

Hi rijadp,

you are listing quite a few CVEs. Have you checked, they actually could affect your system?
One of them is for Apache on Windows, couple for Apache with mod_proxy enabled…

On my installation, Wazuh is not reporting the Apache vulr yet.

jlk · September 2, 2024, 8:57am

Hello,

we are currently preparing a new version of Apache that addresses these vulnerabilities: Bug 57554 – apache2: Multiple issues (5.0)
Planned release date is Wednesday this week.

As mentioned by @dzidek23 not all CVEs listed by you are patched because CVE-2024-38472 for example is only valid for Windows: " important: Apache HTTP Server on WIndows UNC SSRF (CVE-2024-38472)".

Regards
Jan-Luca

rijadp · September 17, 2024, 1:30pm

Hi Jan-Luca,

Sorry for late response, I was on holiday.
Thank you for your response, I upgraded Univention today.
Now, we will wait for retest of our server and I hope we will not be vulnerable anymore.

Cheers,
Rijad