Overview
GFI LanGuard's integrated Apache HTTP server installed version is often reported as being outdated or is flagged for having known security vulnerabilities.
Our Engineering team is already working on upgrading Apache to the latest version for the next LanGuard build. There is no ETA or timeframe for such releases as they require thorough testing to avoid breaking agents and remediation jobs.
Solution
<supportagent>
Note for support agents:
Emphasize that only our Devs are upgrading the components after thorough testing. If customers try to manually update the apache version, that will break LanGuard. Create a Jira for Engineering if none exists to upgrade Apache to the latest build .Do not close the support ticket if the JIRA has not been resolved yet, unless the customer explicitly asks you to do so.
</supportagent>
Vulnerabilities are discovered periodically in the Apache server software by vulnerability scanners or penetration tools. LanGuard or other security scanners such as Nessus will sometimes return a message that vulnerabilities exist within the system. This usually happens when the LanGuard Apache web server is not updated to the latest version, or the LanGuard server itself is not on the most recent version.
If you are not on the latest LanGuard version, upgrade LanGuard to the most recent release since new product updates, including integrated Apache web server, are only provided to the latest LanGuard versions.
The Engineering team tests and upgrades the integrated Apache server version during each release, which normally happens every six months.
Between releases, some elements of the Apache server may be outdated, which reflects on certain vulnerabilities. Apache Server is used within the GFI LanGuard for its caching proxy features (Relay Agents) and its Fast CGI feature when communicating scan results between the server and the agents. This means that our version of Apache does not use all the modules (such as SSL); therefore, most reported Apache vulnerabilities may not apply to our version.
Important: GFI LanGuard integrated Apache server is upgraded only by our Engineering team after thorough testing. If you try to update the Apache version manually, that will break LanGuard.
Testing
You can consult the latest LanGuard version released, and the Apache version included with it in the LanGuard Product Releases section of the GFI website.
Priyanka Bhotika
Comments