Jump to content

Apache HTTP Proxy - Version 2.4.52


Recommended Posts

Is the HTTP proxy affected by CVE-2021-44224 or CVE-2021-44790 (see https://httpd.apache.org/security/vulnerabilities_24.html)?

I would assume yes for CVE-2021-44224 since it is configured as a forward proxy (ProxyRequests on) and no for CVE-2021-44790 since mod_lua is not enabled. Would appreciate if ESET admins could clarify and update the now outdated apachehttp.zip (https://www.eset.com/int/business/download/eset-protect/#standalone) from 2.4.51 to 2.4.52.

Thank you,
Stefan
 

Link to comment
Share on other sites

  • 2 weeks later...

Hi,

Clarification on CVE-2021-44832 would also be helpful, we have currently disabled our onsite ESET Apache HTTP Proxy v 2.4.48.0, luckily most users are working from home.

Summary:
ESET Apache HTTP Proxy v 2.4.51.0 CVE-2021-42013 fixed but not CVE-2021-44790 & CVE-2021-44224

New version Apache HTTP Proxy not available from ESET yet 2.4.52.0 CVE-2021-44790 & CVE-2021-44224 fixed, CVE-2021-44832 not fixed.

Link to comment
Share on other sites

On 1/7/2022 at 11:42 AM, Peter Randziak said:

Hello guys,

a new version of Apache HTTP Proxy based on 2.4.52 will be built and released.

Regards, Peter

Do we have a timescale?
We're trying to be patient.

Link to comment
Share on other sites

  • 1 month later...

Our cyber security team is requesting upgraded the Apache version 2.4.52 or later. Please advise on this.

 ESET PROTECT (Server), Version 9.0 (9.0.1144.0) is installed on Windows 2016 server.

The above standalone link for apache HTTP proxy is this support for windows 2016 please advise.

Link to comment
Share on other sites

  • Administrators
2 hours ago, shainu said:

Our cyber security team is requesting upgraded the Apache version 2.4.52 or later. Please advise on this.

Could you provide exact reasons for this? To my best knowledge, Apache HTTP proxy provided by ESET is not affected by vulnerabilities in default configuration.

Link to comment
Share on other sites

Hi Peter,

Is the Apache HTTP 2.4.52 is supported for Windows 2016 server.

ESET protect version is installed in our environment is  ESET PROTECT (Server), Version 9.0 (9.0.1144.0) .

Also Apache HTTP proxy version 2.4.51 is installed.

 

Please advise.

 

Regards

 

Link to comment
Share on other sites

  • 4 weeks later...

Can we upgrade Apache Proxy version manually  in Virtual appliance enviornment?

current verison is below: 

Server version: Apache/2.4.6 (CentOS)
Server built:   Nov 10 2021 14:26:31

ESET Protect 9.0
 

Link to comment
Share on other sites

  • ESET Staff
On 3/19/2022 at 6:41 AM, Faizan Siddiuqi said:

Can we upgrade Apache Proxy version manually  in Virtual appliance enviornment?

current verison is below: 

Server version: Apache/2.4.6 (CentOS)
Server built:   Nov 10 2021 14:26:31

ESET Protect 9.0
 

Virtual appliance uses standard/official CentOS7 package to Apache HTTP proxy (package named httpd) and it is definitely recommended to update it, including whole operating system using standard mechanisms.
Just be aware that CentOS7 (and RedHat) are backporting security and other bugfixes into package without changing versions, that is why version 2.4.6 might be confusing, but it will most probably contains all security fixes it was affected by. It can be also verified in changelog of this package once system is updated. Following command will list changelog of relevant package:

rpm -q --changelog httpd

where specifically CVE-2021-44790 was fixed in 01/2022.

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...