Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Apache Vulnerabilities in UCS 2.0(1w)

I received notice from a security person in my organization that the current firmware we're running on our UCS environment, which is 2.0(1w), has a few Sev1 Apache vulnerabilities, all of which are fixed in Apache version 2.2.22 or later. Unfortunately, I have not been able to find any documentation that indicates what version of Apache is running on specific releases of firmware.

Let's start with this - I would like to upgrade to 2.0(2q), since I've heard that version is somewhat stable and well-received by those that have installed it. How would I go about finding the version of Apache running in that level of firmware?

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Apache Vulnerabilities in UCS 2.0(1w)

Matt,

From lab system running 2.0.2q

# curl -I

HTTP/1.1 302 Found

Date: Thu, 31 May 2012 04:49:12 GMT

Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/FIPS

Location: https://

Content-Type: text/html; charset=iso-8859-1

HTH

Padma

Cisco Employee

Apache Vulnerabilities in UCS 2.0(1w)

Yes, thanks for pointing that out Padma. Good to check what version of Apache is already running on the system.

I'll let you know what I hear about the documents from product management.

Just to make it clear, the option that Padma used in his curl command is a capital I (as in India). Alternatively, you can use:

# curl --head

Cisco is aware of the Apache vulnerabilities that your security engineer has highlighted to you. Cisco is tracking this issue and currently determining the earliest release which Apache can be upgraded to version 2.2.22

Thanks,

Michael

9 REPLIES
Cisco Employee

Apache Vulnerabilities in UCS 2.0(1w)

Hi Matt,

To see what

Under General References, you will find documents detailing what open source software is used.

http://www.cisco.com/en/US/products/ps10477/prod_technical_reference_list.html#anchor4

In saying that, there are currently only two versions available:

I'll check with the product team if there is a version available for UCS 2.0(2).

Thanks,

Michael

Cisco Employee

Apache Vulnerabilities in UCS 2.0(1w)

Matt,

From lab system running 2.0.2q

# curl -I

HTTP/1.1 302 Found

Date: Thu, 31 May 2012 04:49:12 GMT

Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/FIPS

Location: https://

Content-Type: text/html; charset=iso-8859-1

HTH

Padma

Cisco Employee

Apache Vulnerabilities in UCS 2.0(1w)

Yes, thanks for pointing that out Padma. Good to check what version of Apache is already running on the system.

I'll let you know what I hear about the documents from product management.

Just to make it clear, the option that Padma used in his curl command is a capital I (as in India). Alternatively, you can use:

# curl --head

Cisco is aware of the Apache vulnerabilities that your security engineer has highlighted to you. Cisco is tracking this issue and currently determining the earliest release which Apache can be upgraded to version 2.2.22

Thanks,

Michael

Cisco Employee

Apache Vulnerabilities in UCS 2.0(1w)

I'll also add that device management ports, regardless of device type or vendor, should be kept behind a firewall with network access restricted to trusted users.

Matthew

Re: Apache Vulnerabilities in UCS 2.0(1w)

Mentioned commands are not working to check the appache version existed and also please share any documents realted about upgrading the appache in ucs environment

Re: Apache Vulnerabilities in UCS 2.0(1w)

Mentioned commands are not working to check the appache version existed and also please share any documents realted about upgrading the appache in ucs environment

 

Upgrade to Apache version 2.4.28 or later.

Apache 2.4.x < 2.4.28 HTTP Vulnerability (OptionsBleed)

 

Cisco Employee

Re: Apache Vulnerabilities in UCS 2.0(1w)

Ravi,

You should be able to run the curl command from a Unix/Linux system.

Where are you attempting to run it from? 

Ex. If I want information from my lab, then from a Terminal session on my machine I can run...

      'curl -I <ip address of my ucs>'

 

Apache cannot be updated (as far as I'm aware) standalone from the infrastructure of the domain.

So if you are looking at updating Apache for a vulnerability, then you are looking at performing an infrastructure update.

 

Regards.

Community Member

Apache Vulnerabilities in UCS 2.0(1w)

Thanks, all. I have what I need for now. I've been told by my Cisco contacts that 2.0(3) is just around the corner, which will come with Apache 2.2.22.

Cisco Employee

Apache Vulnerabilities in UCS 2.0(1w)

Just to close out on another point in this thread, we have now posted an Open Source List 2.0(2)

http://www.cisco.com/en/US/docs/unified_computing/ucs/3rd-party/UCS_2_0_2_Open_Source_Documentation.pdf

Thanks,

Michael

1788
Views
0
Helpful
9
Replies
CreatePlease to create content