st3fan 6 Posted December 22, 2021 Share Posted December 22, 2021 Is the HTTP proxy affected by CVE-2021-44224 or CVE-2021-44790 (see https://httpd.apache.org/security/vulnerabilities_24.html)? I would assume yes for CVE-2021-44224 since it is configured as a forward proxy (ProxyRequests on) and no for CVE-2021-44790 since mod_lua is not enabled. Would appreciate if ESET admins could clarify and update the now outdated apachehttp.zip (https://www.eset.com/int/business/download/eset-protect/#standalone) from 2.4.51 to 2.4.52. Thank you, Stefan BobK 1 Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted December 23, 2021 ESET Moderators Share Posted December 23, 2021 Hello @st3fan, I'm checking it with the dev team. Regards, Peter Link to comment Share on other sites More sharing options...
BobK 1 Posted January 4, 2022 Share Posted January 4, 2022 Hi, Clarification on CVE-2021-44832 would also be helpful, we have currently disabled our onsite ESET Apache HTTP Proxy v 2.4.48.0, luckily most users are working from home. Summary: ESET Apache HTTP Proxy v 2.4.51.0 CVE-2021-42013 fixed but not CVE-2021-44790 & CVE-2021-44224New version Apache HTTP Proxy not available from ESET yet 2.4.52.0 CVE-2021-44790 & CVE-2021-44224 fixed, CVE-2021-44832 not fixed. Link to comment Share on other sites More sharing options...
BobK 1 Posted January 6, 2022 Share Posted January 6, 2022 On 12/23/2021 at 8:01 AM, Peter Randziak said: Hello @st3fan, I'm checking it with the dev team. Regards, Peter Any response yet? Link to comment Share on other sites More sharing options...
st3fan 6 Posted January 6, 2022 Author Share Posted January 6, 2022 @Peter Randziak please advise. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted January 7, 2022 ESET Moderators Share Posted January 7, 2022 Hello guys, a new version of Apache HTTP Proxy based on 2.4.52 will be built and released. Regards, Peter BobK 1 Link to comment Share on other sites More sharing options...
BobK 1 Posted January 12, 2022 Share Posted January 12, 2022 On 1/7/2022 at 11:42 AM, Peter Randziak said: Hello guys, a new version of Apache HTTP Proxy based on 2.4.52 will be built and released. Regards, Peter Do we have a timescale? We're trying to be patient. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted January 13, 2022 ESET Moderators Share Posted January 13, 2022 Hello @BobK, The teams responsible are working on it, but the whole process takes some time and the release dates are not being disclosed in advance... Thank you for being patient. Peter Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted January 19, 2022 ESET Moderators Share Posted January 19, 2022 Hello guys, It has been released https://www.eset.com/int/business/download/eset-protect/#standalone Regards, Peter Link to comment Share on other sites More sharing options...
st3fan 6 Posted January 19, 2022 Author Share Posted January 19, 2022 Thank you. Peter Randziak 1 Link to comment Share on other sites More sharing options...
BobK 1 Posted January 19, 2022 Share Posted January 19, 2022 3 hours ago, Peter Randziak said: Hello guys, It has been released https://www.eset.com/int/business/download/eset-protect/#standalone Regards, Peter Thanks, looks to be running fine Peter Randziak 1 Link to comment Share on other sites More sharing options...
shainu 0 Posted February 21, 2022 Share Posted February 21, 2022 Our cyber security team is requesting upgraded the Apache version 2.4.52 or later. Please advise on this. ESET PROTECT (Server), Version 9.0 (9.0.1144.0) is installed on Windows 2016 server. The above standalone link for apache HTTP proxy is this support for windows 2016 please advise. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted February 21, 2022 Administrators Share Posted February 21, 2022 2 hours ago, shainu said: Our cyber security team is requesting upgraded the Apache version 2.4.52 or later. Please advise on this. Could you provide exact reasons for this? To my best knowledge, Apache HTTP proxy provided by ESET is not affected by vulnerabilities in default configuration. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted February 21, 2022 ESET Moderators Share Posted February 21, 2022 Hello @shainu, just to add, the version of Apache HTTP Proxy offered by ESET is of version 2.4.52 https://www.eset.com/int/business/download/eset-protect/#standalone Peter Link to comment Share on other sites More sharing options...
shainu 0 Posted February 21, 2022 Share Posted February 21, 2022 Hi Peter, Is the Apache HTTP 2.4.52 is supported for Windows 2016 server. ESET protect version is installed in our environment is ESET PROTECT (Server), Version 9.0 (9.0.1144.0) . Also Apache HTTP proxy version 2.4.51 is installed. Please advise. Regards Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted February 21, 2022 ESET Moderators Share Posted February 21, 2022 38 minutes ago, shainu said: Is the Apache HTTP 2.4.52 is supported for Windows 2016 server. Yes, it is so you may upgrade to it. Peter Link to comment Share on other sites More sharing options...
Faizan Siddiuqi 1 Posted March 19, 2022 Share Posted March 19, 2022 Can we upgrade Apache Proxy version manually in Virtual appliance enviornment? current verison is below: Server version: Apache/2.4.6 (CentOS) Server built: Nov 10 2021 14:26:31 ESET Protect 9.0 Link to comment Share on other sites More sharing options...
ESET Staff MartinK 378 Posted March 21, 2022 ESET Staff Share Posted March 21, 2022 On 3/19/2022 at 6:41 AM, Faizan Siddiuqi said: Can we upgrade Apache Proxy version manually in Virtual appliance enviornment? current verison is below: Server version: Apache/2.4.6 (CentOS) Server built: Nov 10 2021 14:26:31 ESET Protect 9.0 Virtual appliance uses standard/official CentOS7 package to Apache HTTP proxy (package named httpd) and it is definitely recommended to update it, including whole operating system using standard mechanisms. Just be aware that CentOS7 (and RedHat) are backporting security and other bugfixes into package without changing versions, that is why version 2.4.6 might be confusing, but it will most probably contains all security fixes it was affected by. It can be also verified in changelog of this package once system is updated. Following command will list changelog of relevant package: rpm -q --changelog httpd where specifically CVE-2021-44790 was fixed in 01/2022. Link to comment Share on other sites More sharing options...
Recommended Posts