Highlighted
Absent Member.
Absent Member.
1051 views

Apache Vulnerabilities

We did a penetration test on Groupwise webaccess and it came back with about 20 Apache vulnerabilities!

The recommended solution is to update Apache to the latest version, can I just use Yast to do this?

Thanks
Labels (2)
0 Likes
9 Replies
Highlighted
Visitor.

Re: Apache Vulnerabilities

fgams;2279843 wrote:
We did a penetration test on Groupwise webaccess and it came back with about 20 Apache vulnerabilities!

The recommended solution is to update Apache to the latest version, can I just use Yast to do this?

Thanks


What OS are you running?

Generally speaking using Yast to apply latest updates will not break anything in my experience. However, you will want to read the release notes for whatever version of 2012 you have installed to make sure its a supported platform. Its also good to be upfront with salient details when you post to reduce the cycle time.

-- Bob
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Apache Vulnerabilities

Bob-O-Rama;2279851 wrote:
What OS are you running?


Sorry Bob, can't imagine anyone running anything other than OES11. 😉 I'm runnning Groupwise 2012 on OES11.

I was thinking of using "zypper up apache2" at the command prompt, but I'm not sure if GW Webaccess has a custom setup of Apache.

Thanks!
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Apache Vulnerabilities

just a couple of config files and an apache app as far as I know

i've done server patching and even entire server updates from oes2 to oes11 without any adverse effects on webacc

if it's installed on a supported OS platform then it shouldn't cause any issues at all, just bear in mind if you have modified any of the apache config files yourself they might get replaced by new ones from the rpm (the old ones should be renamed .rpmsave anyway though)

and if you mean OES11 as in OES11 SP0, it's time to put SP1 on the box 🙂

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Apache Vulnerabilities

fgams;2279861 wrote:
Sorry Bob, can't imagine anyone running anything other than OES11. 😉 I'm runnning Groupwise 2012 on OES11.

I was thinking of using "zypper up apache2" at the command prompt, but I'm not sure if GW Webaccess has a custom setup of Apache.

Thanks!


Placing updates should not interfere with the configuration files. Instead of only updating the Apache parts, I'd recommend to apply updates for the whole system.

When using zypper and having OES ontop of SLES, the correct procedure is to run "zypper up -t patch"

I prefer running the Online Updater in the YaST GUI as conflict messages (if you run in to them) are easier to read/manage imo.

Cheers,
Willem
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Apache Vulnerabilities

magic31;2279886 wrote:

When using zypper and having OES ontop of SLES, the correct procedure is to run "zypper up -t patch"


Thank you guys. Will do a full backup first.

I am running OES11 SP0. This probably isn't the forum for it, but I'm confused about the SP1 install. I've seen patches for OES11 that prevent an auto update to SLES11 SP2, what's that about?

So I've been gun shy about applying SP1, fearing it would screw something up.

Wish Novell would have a more detailed explanation of the patching sequence and why!

Thanks again.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Apache Vulnerabilities

On 30/08/2013 05:36, fgams wrote:

> I am running OES11 SP0. This probably isn't the forum for it, but I'm
> confused about the SP1 install. I've seen patches for OES11 that prevent
> an auto update to SLES11 SP2, what's that about?


That will be to stop you upgrading the underlying SLES11 SP1 on an OES11
(SP0) server to SLES11 SP2 without also upgrading OES11 (SP0) to OES11
SP1. OES11 (SP0) on SLES11 SP2 is not a valid or supported combo and you
have to upgrade both SLES and OES together.

> Wish Novell would have a more detailed explanation of the patching
> sequence and why!


HTH.
--
Simon
Novell Knowledge Partner

------------------------------------------------------------------------
Do you work with Novell technologies at a university, college or school?
If so, your campus could benefit from joining the Technology Transfer
Partner (TTP) program. See novell.com/ttp for more details.
------------------------------------------------------------------------
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Apache Vulnerabilities

On 29/08/2013 16:49, fgams wrote:

> Sorry Bob, can't imagine anyone running anything other than OES11. 😉
> I'm runnning Groupwise 2012 on OES11.


Since you've said you're using OES11 (SP0) I'll note that latest version
of GroupWise 2012 is GroupWise 2012 SP2.

> I was thinking of using "zypper up apache2" at the command prompt, but
> I'm not sure if GW Webaccess has a custom setup of Apache.


Well if there Apache patches available in the SLES11-SP1-Updates catalog
that will will update Apache.

You should also note that depending on how the penetration test
determined there were Apache vulnerabilities with your GW WebAccess
server it may be that it will still think there are some even after
updating OES11 and/or GW2012.

The reason for this will be because some penetration tests check version
strings and believe them without probing further. SUSE will backport
security fixes for later software packages into known stable earlier
versions so the version appears to be old (and therefore considered
vulnerable) but the fix is in place.

One way to "fix" this with Apache is to not report the Apache version -
you can do this by setting APACHE_SERVERTOKENS in /etc/sysconfig/apache2
to ProductOnly, Major, or Minor. See
http://httpd.apache.org/docs/2.2/mod/core.html#servertokens for what
each of those will report.

HTH.
--
Simon
Novell Knowledge Partner

------------------------------------------------------------------------
Do you work with Novell technologies at a university, college or school?
If so, your campus could benefit from joining the Technology Transfer
Partner (TTP) program. See novell.com/ttp for more details.
------------------------------------------------------------------------
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Apache Vulnerabilities

Now that's helpful, Thanks!
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Apache Vulnerabilities

fgams;2280731 wrote:
Now that's helpful, Thanks!


Feedback is important (both negative and positive) and always appreciated. In the past we have we have not actively solicited feedback from the Community and left it up to individual Members to provide feedback (as you did in your post) when they saw fit... but this is changing.

When you, or anyone for that matter, see a post you find particularly helpful you can show your appreciation by clicking on the star below the post. You can optionally leave a brief comment which is always appreciated but it is not necessary.

Clicking on the star assigns reputation points to the poster but more importantly it identifies those posts you find most helpful and notifies both the poster and website administrators. Our goal is to improve the way we support the Community by providing the type of information you find most useful. For that to happen, Members' feedback is essential!

Thank you.
_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.