4

My server has scanned for vulnerabilities and they are asking that upgrade your Apache server but the CentOS repositories does not provide Apache > 2.2.15. If this version is vulnerable then why CentOS does not provide a newer version to upgrade in the respective directories

Title: vulnerable Apache version: 2.2.15 Impact: A remote attacker could
crash the web server, disclose certain sensitive information, or execute
arbitrary commands. Data Received: Server: Apache/2.2.15 (CentOS)
Resolution: [http://httpd.apache.org/download.cgi] Upgrade Apache 2.0.x
to a version higher than 2.0.64 when available, 2.2.x to 2.2.22 or higher. or a
version higher than 2.4.2, or install an updated package from your Linux

Now I am looking for a way to upgrade Apache version.

Please suggest me How do I go?

sunlight
  • 75
  • 2
  • 6
  • 2
    Most likely, the fix for this issue has been backported into the RHEL/CentOS sources for Apache. This is what the scanner means by "or install an updated package from your Linux [distribution]". Look into the changelogs for the Apache package to determine if this has been the case. – Sven Feb 25 '13 at 11:01
  • What security scanner software are you using? – Danie Feb 25 '13 at 11:10
  • 2
    Where's the CVE? They should have given you that. If they didn't, tell them to shut up. – Michael Hampton Feb 25 '13 at 19:55

1 Answers1

5

All of the security issues fixed in 2.2.22 (and 2.2.23 for that matter; 2.2.24 seems to have come out today so probably not those yet) have been backported into the current packages for RHEL and RHEL derivatives like CentOS.

Assuming that you're on the latest httpd package in the CentOS repository, your security scanner is wrong; a simple look at the version string is a very unreliable method for detecting whether a system is vulnerable, since all of the major Linux distributions used in business use the same method of backporting security fixes (without upgrading to whole new versions).

Easy workaround; don't let the faulty scanners make incorrect guesses using their flawed detection logic, and configure ServerTokens Prod and ServerSignature Off in your Apache.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • 1
    +1 Though you might mention that some of the security problems are "fixed" more properly in the newer versions of Apache instead of kludges like disabling whatever bit has the security problem. In any case, it's not a security issue in the patched versions. – Chris S Feb 26 '13 at 06:20