logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.


Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Security hardening apache, single issue remains
Author
wex65



Joined: 21 Nov 2021
Posts: 4
Location: USA, WV

PostPosted: Sun 21 Nov '21 17:41    Post subject: Security hardening apache, single issue remains Reply with quote

I am a fairly novice user but attempting to pass PCI on a Rocky 8.5 server running Apache 2.4.37

I have confirmed all CVEs are patched where possible and reconfigured apache to compensate for those where it isn't patched (unloaded unneeded modules etc).

I am left with a single CVE (CVE-2021-36160) for which I am not patched and there seems to be no mitigation I am aware of.

>>>>From RH>>>

Mitigation
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

So what are my options here? My banking provider insists upon compliance but it seems this CVE has no mitigation possible?? The phrase 'rock and a hard place' springs to mind!

I understand this has been resolved in 2.4.49 so although backporting is the usual approach, why can I not just upgrade in this instance to 2.4.49...or newer, as there is no other mitigation?

Thanks for any input/resources.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1151
Location: Amsterdam, NL, EU

PostPosted: Sun 21 Nov '21 18:56    Post subject: Reply with quote

CVE-2021-36160 was fixed in Apache 2.4.49.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65616
https://downloads.apache.org/httpd/CHANGES_2.4
Back to top
wex65



Joined: 21 Nov 2021
Posts: 4
Location: USA, WV

PostPosted: Sun 21 Nov '21 21:28    Post subject: Reply with quote

Jan-E wrote:
CVE-2021-36160 was fixed in Apache 2.4.49.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65616
https://downloads.apache.org/httpd/CHANGES_2.4


Yes, I mentioned this in my original post above.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7031
Location: Germany, Next to Hamburg

PostPosted: Sun 21 Nov '21 22:12    Post subject: Reply with quote

Quote:
A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS).


mod security can block those harmful requests.
Back to top
wex65



Joined: 21 Nov 2021
Posts: 4
Location: USA, WV

PostPosted: Sun 21 Nov '21 22:32    Post subject: Reply with quote

James Blond wrote:
Quote:
A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS).


mod security can block those harmful requests.


Many thanks for the pointer, can you provide any further insight into how this might be done.

Also, is there a reason NOT to upgrade apache to a later version. Server OS is Rocky8.5. I do understand that typically the focus is on backporting rather than moving to a new version.

Paul
Back to top
wex65



Joined: 21 Nov 2021
Posts: 4
Location: USA, WV

PostPosted: Mon 22 Nov '21 22:21    Post subject: Reply with quote

For anyone viewing this in the future the solution was even easier...I simply unloaded the offending module (mod_proxy_uwsgi) which was not needed.
Back to top


Reply to topic   Topic: Security hardening apache, single issue remains View previous topic :: View next topic
Post new topic   Forum Index -> Apache