Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5014
Views
0
Helpful
9
Replies

Apache Vulnerabilities in UCS 2.0(1w)

Go to solution
Mierdin21
Level 1
Level 1

‎05-30-2012 10:28 AM - edited ‎03-01-2019 10:26 AM

I received notice from a security person in my organization that the current firmware we're running on our UCS environment, which is 2.0(1w), has a few Sev1 Apache vulnerabilities, all of which are fixed in Apache version 2.2.22 or later. Unfortunately, I have not been able to find any documentation that indicates what version of Apache is running on specific releases of firmware.

Let's start with this - I would like to upgrade to 2.0(2q), since I've heard that version is somewhat stable and well-received by those that have installed it. How would I go about finding the version of Apache running in that level of firmware?

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
padramas
Cisco Employee
Cisco Employee
In response to mipetrin

‎05-30-2012 09:52 PM

Matt,

From lab system running 2.0.2q

# curl -I

HTTP/1.1 302 Found

Date: Thu, 31 May 2012 04:49:12 GMT

Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/FIPS

Location: https://

Content-Type: text/html; charset=iso-8859-1

HTH

Padma

View solution in original post

0 Helpful

Go to solution
mipetrin
Cisco Employee
Cisco Employee
In response to padramas

‎05-30-2012 10:31 PM

Yes, thanks for pointing that out Padma. Good to check what version of Apache is already running on the system.

I'll let you know what I hear about the documents from product management.

Just to make it clear, the option that Padma used in his curl command is a capital I (as in India). Alternatively, you can use:

# curl --head

Cisco is aware of the Apache vulnerabilities that your security engineer has highlighted to you. Cisco is tracking this issue and currently determining the earliest release which Apache can be upgraded to version 2.2.22

Thanks,

Michael

View solution in original post

0 Helpful
9 Replies 9

Go to solution
mipetrin
Cisco Employee
Cisco Employee

‎05-30-2012 07:26 PM

Hi Matt,

To see what

Under General References, you will find documents detailing what open source software is used.

http://www.cisco.com/en/US/products/ps10477/prod_technical_reference_list.html#anchor4

In saying that, there are currently only two versions available:

I'll check with the product team if there is a version available for UCS 2.0(2).

Thanks,

Michael

0 Helpful

Go to solution
padramas
Cisco Employee
Cisco Employee
In response to mipetrin

‎05-30-2012 09:52 PM

Matt,

From lab system running 2.0.2q

# curl -I

HTTP/1.1 302 Found

Date: Thu, 31 May 2012 04:49:12 GMT

Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/FIPS

Location: https://

Content-Type: text/html; charset=iso-8859-1

HTH

Padma

0 Helpful

Go to solution
mipetrin
Cisco Employee
Cisco Employee
In response to padramas

‎05-30-2012 10:31 PM

Yes, thanks for pointing that out Padma. Good to check what version of Apache is already running on the system.

I'll let you know what I hear about the documents from product management.

Just to make it clear, the option that Padma used in his curl command is a capital I (as in India). Alternatively, you can use:

# curl --head

Cisco is aware of the Apache vulnerabilities that your security engineer has highlighted to you. Cisco is tracking this issue and currently determining the earliest release which Apache can be upgraded to version 2.2.22

Thanks,

Michael

0 Helpful

Go to solution
mwronkow
Cisco Employee
Cisco Employee
In response to mipetrin

‎05-31-2012 06:20 AM

I'll also add that device management ports, regardless of device type or vendor, should be kept behind a firewall with network access restricted to trusted users.

Matthew

0 Helpful

Go to solution
ravi.teja@dimensiondata.com
Level 1
Level 1
In response to padramas

‎04-17-2018 09:41 PM

Mentioned commands are not working to check the appache version existed and also please share any documents realted about upgrading the appache in ucs environment

0 Helpful

Go to solution
ravi.teja@dimensiondata.com
Level 1
Level 1
In response to padramas

‎04-17-2018 09:43 PM

Mentioned commands are not working to check the appache version existed and also please share any documents realted about upgrading the appache in ucs environment

 

Upgrade to Apache version 2.4.28 or later.

Apache 2.4.x < 2.4.28 HTTP Vulnerability (OptionsBleed)

 
0 Helpful

Go to solution
Niko Nikas
Cisco Employee
Cisco Employee
In response to ravi.teja@dimensiondata.com

‎04-19-2018 12:30 PM

Ravi,

You should be able to run the curl command from a Unix/Linux system.

Where are you attempting to run it from? 

Ex. If I want information from my lab, then from a Terminal session on my machine I can run...

      'curl -I <ip address of my ucs>'

 

Apache cannot be updated (as far as I'm aware) standalone from the infrastructure of the domain.

So if you are looking at updating Apache for a vulnerability, then you are looking at performing an infrastructure update.

 

Regards.

0 Helpful

Go to solution
Mierdin21
Level 1
Level 1

‎06-01-2012 06:23 AM

Thanks, all. I have what I need for now. I've been told by my Cisco contacts that 2.0(3) is just around the corner, which will come with Apache 2.2.22.

0 Helpful

Go to solution
mipetrin
Cisco Employee
Cisco Employee
In response to Mierdin21

‎06-05-2012 08:43 PM

Just to close out on another point in this thread, we have now posted an Open Source List 2.0(2)

http://www.cisco.com/en/US/docs/unified_computing/ucs/3rd-party/UCS_2_0_2_Open_Source_Documentation.pdf

Thanks,

Michael

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Review Cisco Networking for a $25 gift card