Overview
GFI LanGuard's integrated Apache HTTP server installed version is reported as being outdated or is flagged for having known security vulnerabilities.
Our Engineering team is already working on upgrading Apache to the latest version. There is no ETA yet - after thorough testing, an upgraded Apache will be delivered through the LanGuard automatic program updates.
Solution
<supportagent>
Emphasize that only our Devs are upgrading the components after thorough testing. If customers try to manually update the apache version, that will break LanGuard.
A Jira ticket would also need to be created/linked as Engineering Team does not have any monitored task to be alerted of when a new Apache release occurs:
- L1 searches the GFIL JIRA project for an existing ticket to update Apache. If the ticket is found:
- L1 updates the support ticket linking the Jira ticket to it, as per Jira End to End Process.
- L1 informs the customer and places the ticket status as On-Hold.
- If no open GFIL Jira ticket exists:
- L1 escalates to L2
- L2 creates a ticket in the GFIL project of type Customer Defect, the GFIL-13270 (Old JIRA) GFIL-16982 (Cloud JIRA) can be used as a template.
- L2 updates the support ticket linking the Jira ticket to it, as per Jira End to End Process.
- L2 informs the customer and places the ticket status as On-Hold.
Note: Do not close the ticket if the JIRA has not been resolved yet, unless the customer explicitly asks you to do so.
</supportagent>
Vulnerabilities are discovered periodically in the Apache server software by vulnerability scanners or penetration tools. LanGuard or other security scanners such as Nessus will sometimes return a message that vulnerabilities exist within the system. This usually happens when the LanGuard Apache web server is not updated to the latest version, or the LanGuard server itself is not on the most recent version.
If you are not on the latest LanGuard version, upgrade LanGuard to the most recent release since new product updates, including integrated Apache web server, are only provided to the latest LanGuard versions.
New versions of the Apache server may be released midstream of the current release of the LanGuard product. When this occurs, the GFI Development investigates and tests the server's new version to make sure it does not negatively affect LanGuard functionality.
The Engineering team tests and upgrades the integrated Apache server version during each release, which normally happens every six months. If the critical vulnerabilities are reported much earlier, and the testing discovers no negative impact, the upgrade will be pushed for the current release. As soon as the new server version functionality is confirmed, it is immediately released. The update is done automatically via the Program Updates module.
Between releases, some elements of the Apache server may be outdated, which reflects on certain vulnerabilities. Apache Server is used within the GFI LanGuard for its caching proxy features (Relay Agents) and its Fast CGI feature when communicating scan results between the server and the agents. This means that our version of Apache does not use all the modules (such as SSL); therefore, some reported Apache vulnerabilities may not apply to our version.
Important: GFI LanGuard integrated Apache server is upgraded only by our Engineering team after thorough testing. If you try to update the Apache version manually, that will break LanGuard.
Testing
Once we update the version, no action is normally required to receive the update since it is delivered automatically via program updates. Once LanGuard program updates are completed, to validate the Apache version:
- Navigate to C:\Program Files (x86)\GFI\LanGuard 12 Agent\Httpd\bin
- Locate the file httpd.exe, right-click on it, and open Properties
- Select the Details tab check the version
If you still see an older version, this may be because the program updates failed or have not been triggered automatically. In this case, perform a manual product update.