cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5014
Views
0
Helpful
9
Replies

Apache Vulnerabilities in UCS 2.0(1w)

Mierdin21
Level 1
Level 1

I received notice from a security person in my organization that the current firmware we're running on our UCS environment, which is 2.0(1w), has a few Sev1 Apache vulnerabilities, all of which are fixed in Apache version 2.2.22 or later. Unfortunately, I have not been able to find any documentation that indicates what version of Apache is running on specific releases of firmware.

Let's start with this - I would like to upgrade to 2.0(2q), since I've heard that version is somewhat stable and well-received by those that have installed it. How would I go about finding the version of Apache running in that level of firmware?

2 Accepted Solutions

Accepted Solutions

Matt,

From lab system running 2.0.2q

# curl -I

HTTP/1.1 302 Found

Date: Thu, 31 May 2012 04:49:12 GMT

Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/FIPS

Location: https://

Content-Type: text/html; charset=iso-8859-1

HTH

Padma

View solution in original post

Yes, thanks for pointing that out Padma. Good to check what version of Apache is already running on the system.

I'll let you know what I hear about the documents from product management.

Just to make it clear, the option that Padma used in his curl command is a capital I (as in India). Alternatively, you can use:

# curl --head

Cisco is aware of the Apache vulnerabilities that your security engineer has highlighted to you. Cisco is tracking this issue and currently determining the earliest release which Apache can be upgraded to version 2.2.22

Thanks,

Michael

View solution in original post

9 Replies 9

mipetrin
Cisco Employee
Cisco Employee

Hi Matt,

To see what

Under General References, you will find documents detailing what open source software is used.

http://www.cisco.com/en/US/products/ps10477/prod_technical_reference_list.html#anchor4

In saying that, there are currently only two versions available:

I'll check with the product team if there is a version available for UCS 2.0(2).

Thanks,

Michael

Matt,

From lab system running 2.0.2q

# curl -I

HTTP/1.1 302 Found

Date: Thu, 31 May 2012 04:49:12 GMT

Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/FIPS

Location: https://

Content-Type: text/html; charset=iso-8859-1

HTH

Padma

Yes, thanks for pointing that out Padma. Good to check what version of Apache is already running on the system.

I'll let you know what I hear about the documents from product management.

Just to make it clear, the option that Padma used in his curl command is a capital I (as in India). Alternatively, you can use:

# curl --head

Cisco is aware of the Apache vulnerabilities that your security engineer has highlighted to you. Cisco is tracking this issue and currently determining the earliest release which Apache can be upgraded to version 2.2.22

Thanks,

Michael

I'll also add that device management ports, regardless of device type or vendor, should be kept behind a firewall with network access restricted to trusted users.

Matthew

Mentioned commands are not working to check the appache version existed and also please share any documents realted about upgrading the appache in ucs environment

Mentioned commands are not working to check the appache version existed and also please share any documents realted about upgrading the appache in ucs environment

 

Upgrade to Apache version 2.4.28 or later.

Apache 2.4.x < 2.4.28 HTTP Vulnerability (OptionsBleed)

 

Ravi,

You should be able to run the curl command from a Unix/Linux system.

Where are you attempting to run it from? 

Ex. If I want information from my lab, then from a Terminal session on my machine I can run...

      'curl -I <ip address of my ucs>'

 

Apache cannot be updated (as far as I'm aware) standalone from the infrastructure of the domain.

So if you are looking at updating Apache for a vulnerability, then you are looking at performing an infrastructure update.

 

Regards.

Mierdin21
Level 1
Level 1

Thanks, all. I have what I need for now. I've been told by my Cisco contacts that 2.0(3) is just around the corner, which will come with Apache 2.2.22.

Just to close out on another point in this thread, we have now posted an Open Source List 2.0(2)

http://www.cisco.com/en/US/docs/unified_computing/ucs/3rd-party/UCS_2_0_2_Open_Source_Documentation.pdf

Thanks,

Michael

Review Cisco Networking for a $25 gift card

Review Cisco Networking for a $25 gift card