-1

I am running a Apache Server version 2.22, which is upto date, but the PCI compliance report shows an error message, saying the apache version is obsolete and must upgrade it to latest version.

I am on Ubuntu 12.04.5 LTS

my apache version: 

Server version: Apache/2.2.22 (Ubuntu)
Server built:   Jul 22 2014 14:35:25

Is there any method to alter just the version of apache and make it 2.4?

any help is appreciated. Thank you :)

shrish
  • 255
  • 2
  • 3
  • 9
  • That is not how you remediate this compliance issue. See [How to maintain PCI compliance on a LAMP server when repositories don't keep up with versions](http://serverfault.com/q/438311/126632) – Michael Hampton Sep 29 '14 at 14:08

2 Answers2

2

According to "http://www.tecmint.com/apache-security-tips/", you should be able to hide this information by adding the following in you httpd.conf and then rebooting Apache (apachectl restart): 

ServerSignature Off
ServerTokens Prod
DTK
  • 1,688
  • 10
  • 15
0

Your version is out of date and has many vulnerabilities. Why not upgrade to the latest and most secure version of apache rather than pretend there isn't a problem?

Change your ServerTokens in httpd.conf. For security purposes it's best not to give away any information that will give anyone a clue.

# vi httpd.conf
ServerTokens Prod
Dr.Avalanche
  • 133
  • 1
  • 1
  • 13
  • if I upgrade the apache, there are lots of sites I will need to change their configuration files. you know there is some directives changed as well with the new version. :) http://httpd.apache.org/docs/2.4/upgrading.html – shrish Sep 29 '14 at 08:57
  • @shrish so you'd rather administer a vulnerable webserver than do the job of the system administrator? – Dr.Avalanche Sep 29 '14 at 09:09
  • 2
    @Dr.Avalanche: enterprise releases, like Ubuntu LTS provide long term security and function stability by patching the original version they shipped, rather than upgrading to the next version. Red Hat does the same and [explains that quite well here](https://access.redhat.com/security/updates/backporting) – HBruijn Sep 29 '14 at 09:11
  • While it may be a suboptimal version (and is not the one I run), he may have mitigating controls that he has (wisely) not told about, or may not be able to upgrade at this time because of externalities that you are not privy to. He asked about reducing the webserver daemon's signature, not how to secure it overall. When he is able to upgrade to a more current version, I hope he is taking the opportunity. – DTK Sep 29 '14 at 09:13
  • @DTK Given his comment was that an upgrade would mean he'd have to change some config files, and that all they're interested in is getting their system off a complience register, rather than either resolving the problem or pointing out that their current version isn't vulnerable I see no reason to believe they're interested in doing the right thing. We live in hope I guess – Dr.Avalanche Sep 29 '14 at 09:16
  • @Dr.Avalanche That may be the case, and as I said, when he has the chance, I hope he avails himself of it. – DTK Sep 29 '14 at 09:18
  • as @HBruijn told, yes the Ubuntu still is maintaining apache 2.2 version, you can see you question, it was built on `Jul 22 2014 14:35:25` but the version is marked as obsolete on the PCI scan, which I thought is not right. thanks for all for great comments. :) – shrish Sep 29 '14 at 09:50
  • 1
    @shrish if your ogranisation scan like this and flag like this then you should raise the issue with them, and not hide it or pretend to run another version. – Dr.Avalanche Sep 29 '14 at 09:53