Vulnerability Apache2

on Univention 4.4 or 5.0 using apache2 old version , ucs 4.4 using apache 2.4.25 have a vulnerability CVE-2017-7668 , how to solve it , to avoid vulnerability on my environment?
can i update apache2 to latest version 2.4.48 and system running succes?

Hello,

CVE-2017-7668 was patched via Errata 4.2-3.324. Please note that the version numbering can differ, so to see if a vulnerability persits I would recommend to search for it like so:
https://errata.software-univention.de/#/?search=CVE-2017-7668

Best regards

tank you sir, sorry mistake , my vulnerability is a CVE-2021-31618 Apache 2.4.x < 2.4.48 Vulnerability

"The version of Apache httpd installed on the remote host is prior to 2.4.48. It is, therefore, affected by a
vulnerability as referenced in the 2.4.48 changelog.

  • mod_http2: Fix a potential NULL pointer dereference (CVE-2021-31618)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version
number."

Installed version : 2.4.25
Fixed version : 2.4.48

on univention 4.4 , latest version apache2 2.4.25, nessus suggest me to update apache2 2.4.48, can i do it ?

As I advised you should search for the CVE in the errata search, so for CVE-2021-31618 this would be https://errata.software-univention.de/#/?search=CVE-2021-31618
As you can see, the vulnerability was fixed with errata 5.0-0.45 for UCS 5 and errata 4.4-8.1008 for UCS 4.

Nessus indicates that it only checked the package version number:

So the vulnerability was patched and there is no need to update the package as the version number does not indicate the patch level.

2 Likes

thank you very helpful