Apache version suitability for Rocky 8.5

wex65 · November 21, 2021, 9:44pm

I am running Rocky 8.5 and apache 2.4.37. As an initial warning, I am a bit of a novice - I have got everything setup and my website is working A OK.

After a fruitful morning working through a PCI test I have managed to harden the server and pass almost all PCI tests bar one apache related CVE (CVE-2021-36160) which was resolved in 2.4.49.

I understand backporting is the preferred approach to resolving these issues BUT this CVE has no patch available. RH indicates no possible mitigation.

Is an upgrade to a later apache version (latest stable is 2.4.51) the next suitable step for a Rocky8.5 install? Otherwise I don’t see a way to overcome this issue?

Thanks for any input
Paul

linuxlover · November 22, 2021, 5:44am

As per RedHat assigned severity its impact is Moderate only. So I suspect they will take time to release its update etc.

I will suggest if you are not using this UWSGI gateway module functionality ( mod_proxy_uwsgi ) unload it from loaded modules. ( comment it in /etc/httpd/conf.modules.d/00-proxy.conf )

jlehtone · November 22, 2021, 5:59am

Red Hat writes:

“Affected” means that our Analysis Team has determined that this product is affected by this vulnerability and might release a fix to address this in the near future.

I’d rather wait for RH to fix than turn my system into unmanageable chimera. Do you even use that mod_proxy_uwsgi in your site?

wex65 · November 22, 2021, 11:55am

Thanks guys, your input is much appreciated. I am not aware of any use of this module so I will unload it and monitor the site.

Extra points for the use of the word chimera!

Paul

Update: as it turns out the server didn’t even have he module loaded. Thanks again.

[root@li1250]# yum info mod_proxy_uwsgi
Last metadata expiration check: 3:52:19 ago on Mon 22 Nov 2021 03:16:43 AM EST.
Error: No matching Packages to list

jlehtone · November 22, 2021, 1:41pm

dnf provides */mod_proxy_uwsgi\* reveals that the file is in package httpd.

Check with grep -r proxy /etc/httpd what/where might call LoadModule.

wex65 · November 22, 2021, 1:56pm

Thanks, found the offending conf file (00-proxy.conf) and commented it out.

Paul

linuxlover · November 23, 2021, 4:37am

Red Hat have loaded lot of apache modules in default config. If want further tunning unload all non required module. apachectl -M will give you the details of all loaded modules.

[CLD-AARCH64 ]$ apachectl -M
Loaded Modules:
 core_module (static)
 so_module (static)
 http_module (static)
 access_compat_module (shared)
 actions_module (shared)
 alias_module (shared)
 allowmethods_module (shared)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_anon_module (shared)
 authn_core_module (shared)
 authn_dbd_module (shared)
 authn_dbm_module (shared)
 authn_file_module (shared)
 authn_socache_module (shared)
 authz_core_module (shared)
 authz_dbd_module (shared)
 authz_dbm_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_owner_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 brotli_module (shared)
 cache_module (shared)
 cache_disk_module (shared)
 cache_socache_module (shared)
 data_module (shared)
 dbd_module (shared)
 deflate_module (shared)
 dir_module (shared)
 dumpio_module (shared)
 echo_module (shared)
 env_module (shared)
 expires_module (shared)
 ext_filter_module (shared)
 filter_module (shared)
 headers_module (shared)
 include_module (shared)
 info_module (shared)
 log_config_module (shared)
 logio_module (shared)
 macro_module (shared)
 mime_magic_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 remoteip_module (shared)
 reqtimeout_module (shared)
 request_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 slotmem_plain_module (shared)
 slotmem_shm_module (shared)
 socache_dbm_module (shared)
 socache_memcache_module (shared)
 socache_shmcb_module (shared)
 status_module (shared)
 substitute_module (shared)
 suexec_module (shared)
 unique_id_module (shared)
 unixd_module (shared)
 userdir_module (shared)
 version_module (shared)
 vhost_alias_module (shared)
 watchdog_module (shared)
 dav_module (shared)
 dav_fs_module (shared)
 dav_lock_module (shared)
 lua_module (shared)
 mpm_event_module (shared)
 proxy_module (shared)
 lbmethod_bybusyness_module (shared)
 lbmethod_byrequests_module (shared)
 lbmethod_bytraffic_module (shared)
 lbmethod_heartbeat_module (shared)
 proxy_ajp_module (shared)
 proxy_balancer_module (shared)
 proxy_connect_module (shared)
 proxy_express_module (shared)
 proxy_fcgi_module (shared)
 proxy_fdpass_module (shared)
 proxy_ftp_module (shared)
 proxy_http_module (shared)
 proxy_hcheck_module (shared)
 proxy_scgi_module (shared)
 proxy_wstunnel_module (shared)
 ssl_module (shared)
 systemd_module (shared)
 cgid_module (shared)
 http2_module (shared)
 proxy_http2_module (shared)

Place to comment out the non required modules /etc/httpd/conf.modules.d