Vulnerability Apache2

Harianto · August 27, 2021, 2:49am

on Univention 4.4 or 5.0 using apache2 old version , ucs 4.4 using apache 2.4.25 have a vulnerability CVE-2017-7668 , how to solve it , to avoid vulnerability on my environment?
can i update apache2 to latest version 2.4.48 and system running succes?

jlk · August 27, 2021, 7:06am

Hello,

CVE-2017-7668 was patched via Errata 4.2-3.324. Please note that the version numbering can differ, so to see if a vulnerability persits I would recommend to search for it like so:
https://errata.software-univention.de/#/?search=CVE-2017-7668

Best regards

Harianto · August 27, 2021, 8:47am

tank you sir, sorry mistake , my vulnerability is a CVE-2021-31618 Apache 2.4.x < 2.4.48 Vulnerability

"The version of Apache httpd installed on the remote host is prior to 2.4.48. It is, therefore, affected by a
vulnerability as referenced in the 2.4.48 changelog.

mod_http2: Fix a potential NULL pointer dereference (CVE-2021-31618)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version
number."

Installed version : 2.4.25
Fixed version : 2.4.48

on univention 4.4 , latest version apache2 2.4.25, nessus suggest me to update apache2 2.4.48, can i do it ?

jlk · August 27, 2021, 11:14am

As I advised you should search for the CVE in the errata search, so for CVE-2021-31618 this would be https://errata.software-univention.de/#/?search=CVE-2021-31618
As you can see, the vulnerability was fixed with errata 5.0-0.45 for UCS 5 and errata 4.4-8.1008 for UCS 4.

Nessus indicates that it only checked the package version number:

So the vulnerability was patched and there is no need to update the package as the version number does not indicate the patch level.

Harianto · August 30, 2021, 1:25am

thank you very helpful

snguyen · October 8, 2021, 11:18am

There was a new apache vuln published with the CVE-2021-41773. Is there any estimated errata update for closing this?

Andreas_T · October 8, 2021, 11:43am

CVE-2021-41773 only affects Apache 2.4.49 and not earlier versions. UCS4 still uses Apache 2.4.25 and UCS5 Apache 2.4.38.

snguyen · October 12, 2021, 8:03am

2.4.38 is also known for multiple Vulnerabilities like CVE-2020-11984. So there is no ETA for 2.4.50?

externa1 · October 12, 2021, 8:55am

its already fixed in 2.4.38-3+deb10u5A see

https://security-tracker.debian.org/tracker/CVE-2020-11984

letmesetupthis · August 26, 2022, 2:07pm

the Problem with this approach is, that there are customers which want to have security notifications sent on regular scans… if we handle it like this… we always need to recheck on each added vulnerability (added to nessus DB)…

jlk · August 26, 2022, 2:17pm

Please do not duplicate your posts as this topic is already resolved. I have answered in your original post: https://help.univention.com/t/apache-needs-to-be-updated-more-regularly

jlk · August 26, 2022, 2:17pm