Overview
GFI LanGuard's integrated Apache HTTP server installed version is often reported as being outdated or is flagged for having known security vulnerabilities.
Our Engineering team is already working on upgrading Apache to the latest version for the next LanGuard build. There is no ETA or timeframe for such releases as they require thorough testing to avoid breaking agents and remediation jobs.
Solution
<supportagent>
Emphasize that only our Devs are upgrading the components after thorough testing. If customers try to manually update the apache version, that will break LanGuard.
A Jira ticket would also need to be created/linked as Engineering Team does not have any monitored task to be alerted of when a new Apache release occurs:
- L1 searches the GFIL JIRA project for an existing ticket to update Apache. If the ticket is found:
- L1 updates the support ticket linking the Jira ticket to it, as per Jira End to End Process.
- L1 informs the customer and places the ticket status as On-Hold.
-
If no open GFIL Jira ticket exists:
- L1 escalates to L2
- L2 creates a ticket in the GFIL project of type Customer Defect, the GFIL-13270 (Old JIRA) GFIL-16982 (Cloud JIRA) can be used as a template.
- L2 updates the support ticket linking the Jira ticket to it, as per Jira End to End Process.
- L2 informs the customer and places the ticket status as On-Hold.
Note: Do not close the ticket if the JIRA has not been resolved yet, unless the customer explicitly asks you to do so.
</supportagent>
Vulnerabilities are discovered periodically in the Apache server software by vulnerability scanners or penetration tools. LanGuard or other security scanners such as Nessus will sometimes return a message that vulnerabilities exist within the system. This usually happens when the LanGuard Apache web server is not updated to the latest version, or the LanGuard server itself is not on the most recent version.
If you are not on the latest LanGuard version, upgrade LanGuard to the most recent release since new product updates, including integrated Apache web server, are only provided to the latest LanGuard versions.
The Engineering team tests and upgrades the integrated Apache server version during each release, which normally happens every six months.
Between releases, some elements of the Apache server may be outdated, which reflects on certain vulnerabilities. Apache Server is used within the GFI LanGuard for its caching proxy features (Relay Agents) and its Fast CGI feature when communicating scan results between the server and the agents. This means that our version of Apache does not use all the modules (such as SSL); therefore, most reported Apache vulnerabilities may not apply to our version.
Important: GFI LanGuard integrated Apache server is upgraded only by our Engineering team after thorough testing. If you try to update the Apache version manually, that will break LanGuard.
Testing
You can consult the latest LanGuard version released, and the Apache version included with it in the LanGuard Product Releases section of the GFI website.