Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1197
Views
0
Helpful
3
Replies

UCS Manager - 1.4.1j and earlier - Apache Security Vuln?

Go to solution
KRIS PATE
Level 4
Level 4

‎02-18-2011 07:19 AM - edited ‎03-01-2019 09:50 AM

I was running UCSM 1.3.1c and was notified by security that the web server component had a security vulverability.

I upgraded to 1.4.1j and had them rescan and they are still seeing it as being unpatched.

Has anyone else had their UCSM scanned for security vulnerabilites and found this?

Is there some documentation on which software versions are included in UCSM? (like the version of apache)
Any idea when a patched version will be included in UCSM?  Is it being fixed in the upcoming 1.4.1k?

http://httpd.apache.org/security/vulnerabilities_22.html

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎02-24-2011 03:58 PM

Greetings Kris,

UCS version 1.4 currently uses Apache version 2.2.15 - because at the time it was developed this was the most current release.  UCS will have the updated Apache fixes for 2.2.17 in the next major release - tentatively scheduled in the next 6 months. Apache updates/fixes will likely be incorporated into major UCS releases/updates.

After discussing the vulnerability conerns with the current version of Apache in 1.4, none of the vulnerabilities are relevant with UCS. Our development team looked into this and concluded UCSM will not be effected by libexpat related vulnerabilities and apr_bridage_split_line DoS  don’t have any effect on UCSM as we are not using this API.

Regards,

Robert

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎02-24-2011 03:58 PM

Greetings Kris,

UCS version 1.4 currently uses Apache version 2.2.15 - because at the time it was developed this was the most current release.  UCS will have the updated Apache fixes for 2.2.17 in the next major release - tentatively scheduled in the next 6 months. Apache updates/fixes will likely be incorporated into major UCS releases/updates.

After discussing the vulnerability conerns with the current version of Apache in 1.4, none of the vulnerabilities are relevant with UCS. Our development team looked into this and concluded UCSM will not be effected by libexpat related vulnerabilities and apr_bridage_split_line DoS  don’t have any effect on UCSM as we are not using this API.

Regards,

Robert

0 Helpful

Go to solution
KRIS PATE
Level 4
Level 4
In response to Robert Burns

‎02-25-2011 01:18 PM

Robert,

Thanks for the thorough answer. I will let my security team know.

In the future is there any documentation that lists the different versions of Open Source software in use with UCSM?

Kris

0 Helpful

Go to solution
Robert Burns
Cisco Employee
Cisco Employee
In response to KRIS PATE

‎02-25-2011 04:40 PM

Yes.  Internally we've discussed this and it should be included in the next version of Release notes.

Regards,

Robert

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Review Cisco Networking for a $25 gift card