Apache needs to be updated more regularly

there are multiple RCE vulns publicly available to exploit the used apache version… for example:

As we all know that Apache really often has security issues… it needs to receive updates more often…

Hey,

your impression is not correct.
Regarding the mentioned exploit: This only affects Apache versions >=2.4.49 while UCS 5 packages version 2.4.38, so our Apache was never affected by this.
On a broader picture: It is true that there are several vulnerabilities found in Apache. As soon as they are fixed upstream (in Debian) these fixes are included in UCS. For UCS 5 alone 3 security issues got released.

Many reports and warnings of vulnerability checkers only compare package version numbers. As we repackage Apache this leads to false positives, more about that was written here: Vulnerability Apache2 - #4 by jlk and here: How-to: Verify automated security scan

If you want to check if your installation really is affected I would do the following:

  1. Find out which versions are affected and which version you are using
  2. If the vulnerability affects your version you can check our errata page with the CVE as mentioned in the linked post
  3. If you cannot find a fix there you can look if the Debian project is affected and has fixed this as written in the How-To.

Only if your version is affected and there is no mention of a fix released by us I would panic, otherwise that’s just a false positive. :slight_smile:

Regards
Jan-Luca

1 Like

the Problem with this approach is, that there are customers which want to have security notifications sent on regular scans… if we handle it like this… we always need to recheck on each added vulnerability (added to nessus DB)…

Well, I can understand this, but you have to keep in mind that our product is a Linux distribution and there are reasons why we use the versioning we do that may outvalue the satisfaction of a scanner that only checks version numbers.
On a broader picture I would advise to not just look at this metric: Version numbers can easily be modified/spoofed and are not sufficient to make sure that your software is secure. Even if we would just count up the number without including any fix your scanner would not mention this but the vulnerabilities would still be there.

“On a broader picture I would advise to not just look at this metric: Version numbers can easily be modified/spoofed and are not sufficient to make sure that your software is secure.”

on a broader picture I don’t have the ressources to create my own scanner which doesn’t give out false positives. I need to be able to rely on a scanner which already exists.

I tend to say: “Then use a scanner which knows UCS and can generate correct reports!”. It can not be the responsability of Univention to be compatible with all scanners available on the market.

/KNEBB

2 Likes

Is there a scanner which “knows UCS”?

Mastodon