AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.


#Power
#Power
 View Only

  • 1.  The vulnerability is related to http on port 80 and port 80 runs httpd process from apache

    Posted 23 days ago

    The vulnerability is related to http on port 80 and port 80 runs httpd process from apache as follows:-

    gdisprnimal1d(root):/# lsof -i :80 -w

    COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

    httpd 9240872 root 4u IPv6 0xf10010000a38bbc0 0t0 TCP *:http (LISTEN)

    gdisprnimal1d(root):/# ps -ef | grep -i 9240872

    root 9240872 1 0 Aug 22 - 0:30 /opt/freeware/sbin/httpd -k start

    apache 21692778 9240872 0 Nov 01 - 0:00 /opt/freeware/sbin/httpd -k start

    Need help on this to fix http Vulnerability reported on port 80 on Infra NIM servers



    ------------------------------
    Unix Team
    ------------------------------


  • 2.  RE: The vulnerability is related to http on port 80 and port 80 runs httpd process from apache

    Posted 21 days ago

    Please share the details of the vulnerabilities reported and the output of "rpm -qi httpd".
    If mod_ssl rpm is not installed, you can install the same using " dnf install mod_ssl". This will enable ssl module and httpd can listen on port 443. 



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


  • 3.  RE: The vulnerability is related to http on port 80 and port 80 runs httpd process from apache

    Posted 20 days ago

    Hello Reshma Kumar,

    Please find the output of asked command and Vulnerability reported details.

    gdisprnimal1d(root):/# rpm -qi httpd
    Name        : httpd
    Version     : 2.4.54
    Release     : 3
    Architecture: ppc
    Install Date: Tue Aug  8 10:52:24 CEST 2023
    Group       : System Environment/Daemons
    Size        : 14545732
    License     : Apache Software License
    Signature   : (none)
    Source RPM  : httpd-2.4.54-3.src.rpm
    Build Date  : Fri Oct 21 11:36:00 CEST 2022
    Build Host  : pokndd5.pok.stglabs.ibm.com
    Relocations : /opt /var /etc
    Packager    : IBM AIX Toolbox  <https://ibm.biz/AIXToolbox>
    URL         : http://httpd.apache.org/
    Bug URL     : https://ibm.biz/aixoss_forum
    Summary     : Apache HTTP Server
    Description :
    The Apache HTTP Server is a powerful, efficient, and extensible
    web server.
    gdisprnimal1d(root):/#

    Vulnerability Details:

    Vulnerability

    QID-11827
    Summary
    HTTP Security Header Not Detected
    Remediation notes
    <b>Note:</b> To better debug the results of this QID, it is requested that customers execute commands to simulate the following functionality: curl -lkL --verbose.<p>
    CWE-693: Protection Mechanism Failure mentions the following - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. A &#34;missing&#34; protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An &#34;insufficient&#34; protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an &#34;ignored&#34; mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.</p><p>
    Customers are advised to set proper <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options" target="_blank" rel="noopener noreferrer nofollow">X-Content-Type-Options</a> and <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security" target="_blank" rel="noopener noreferrer nofollow">Strict-Transport-Security</a> HTTP response headers.</p><p>
    Depending on their server software, customers can set directives in their site configuration or Web.config files. Few examples are:</p><p>
    X-Content-Type-Options:<br />
    Apache: Header always set X-Content-Type-Options: nosniff</p><p>
    HTTP Strict-Transport-Security:<br />
    Apache: Header always set Strict-Transport-Security &#34;max-age&#61;31536000; includeSubDomains&#34;<br />
    Nginx: add_header Strict-Transport-Security max-age&#61;31536000;</p><p>
    <b>Note: Network devices that include a HTTP/HTTPS console for administrative/management purposes often do not include all/some of the security headers. This is a known issue and it is recommend to contact the vendor for a solution. </b></p><p></p>
    Description
    X-Content-Type-Options HTTP Header missing on port 80.

    GET / HTTP/1.1
    Host: 10.247.138.194
    Connection: Keep-Alive
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0



    HTTP/1.1 200 OK
    Date: Sat, 01 Nov 2025 17:37:17 GMT
    Server: Apache/2.4.54 (Unix)
    Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
    ETag: &#34;2d-432a5e4a73a80&#34;
    Accept-Ranges: bytes
    Content-Length: 45
    Keep-Alive: timeout&#61;5, max&#61;96
    Connection: Keep-Alive
    Content-Type: text/html

    &lt;html&gt;&lt;body&gt;&lt;h1&gt;It works!&lt;/h1&gt;&lt;/body&gt;&lt;/html&gt;
    Port
    80


    ------------------------------
    Unix Team
    ------------------------------

    Original Message


  • 4.  RE: The vulnerability is related to http on port 80 and port 80 runs httpd process from apache

    Posted 19 days ago

    Based on the details shared, this looks like a server configuration issue. Please make the required changes as per the remediation steps provided, restart the server and try again.
     Additionally, the version of httpd installed is old, so please update it to the latest version(ie, 2.4.65) using "dnf update httpd"



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


  • 5.  RE: The vulnerability is related to http on port 80 and port 80 runs httpd process from apache

    Posted 12 days ago

    Hello Reshma Kumar,

    We can update the httpd version to the latest, but does it requires reboot the server?

    Also, we couldn't find the remediation steps provided in vulnerability report... Mentioned as to contact vendor as highlighted below. Please find below.

    Please share steps to fix the issue.

    =============

    Remediation Notes:

    "<b>Note:</b> To better debug the results of this QID, it is requested that customers execute commands to simulate the following functionality: curl -lkL --verbose.<p>
    CWE-693: Protection Mechanism Failure mentions the following - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. A &#34;missing&#34; protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An &#34;insufficient&#34; protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an &#34;ignored&#34; mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.</p><p>
    Customers are advised to set proper <a href=""https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options"" target=""_blank"" rel=""noopener noreferrer nofollow"">X-Content-Type-Options</a> and <a href=""https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security"" target=""_blank"" rel=""noopener noreferrer nofollow"">Strict-Transport-Security</a> HTTP response headers.</p><p>
    Depending on their server software, customers can set directives in their site configuration or Web.config files. Few examples are:</p><p>
    X-Content-Type-Options:<br />
    Apache: Header always set X-Content-Type-Options: nosniff</p><p>
    HTTP Strict-Transport-Security:<br />
    Apache: Header always set Strict-Transport-Security &#34;max-age&#61;31536000; includeSubDomains&#34;<br />
    Nginx: add_header Strict-Transport-Security max-age&#61;31536000;</p><p>
    <b>Note: Network devices that include a HTTP/HTTPS console for administrative/management purposes often do not include all/some of the security headers. This is a known issue and it is recommend to contact the vendor for a solution. </b></p><p></p>"



    ------------------------------
    Unix Team
    ------------------------------

    Original Message


  • 6.  RE: The vulnerability is related to http on port 80 and port 80 runs httpd process from apache

    Posted 9 days ago

    Hello Reshma Kumar,

    Can we have update on this please. Need to mitigate this issue ASAP.



    ------------------------------
    Unix Team
    ------------------------------

    Original Message


  • 7.  RE: The vulnerability is related to http on port 80 and port 80 runs httpd process from apache

    Posted 8 days ago

    There is no "httpd" vendor.  Follow the instructions they've given you:

    Customers are advised to set proper <a href=""https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options"" target=""_blank"" rel=""noopener noreferrer nofollow"">X-Content-Type-Options</a> and <a href=""https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security"" target=""_blank"" rel=""noopener noreferrer nofollow"">Strict-Transport-Security</a> HTTP response headers.</p><p>

    Note that to set Strict-Transport-Security, you need to configure your server to use https instead of http.



    ------------------------------
    José Pina Coelho
    IT Specialist at Kyndryl
    ------------------------------

    Original Message


  • 8.  RE: The vulnerability is related to http on port 80 and port 80 runs httpd process from apache

    Posted 7 days ago

    Hello Jose,

    Can you please share steps to configure server to use https instead of http. 



    ------------------------------
    Unix Team
    ------------------------------

    Original Message


  • 9.  RE: The vulnerability is related to http on port 80 and port 80 runs httpd process from apache

    Posted 7 days ago

    Sure: https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html



    ------------------------------
    José Pina Coelho
    IT Specialist at Kyndryl
    ------------------------------

    Original Message


  • 10.  RE: The vulnerability is related to http on port 80 and port 80 runs httpd process from apache

    Posted 7 days ago

    Step 1: Identify the Vulnerability

    • The process running on port 80 is Apache httpd: 
      /opt/freeware/sbin/httpd -k start
    • Vulnerabilities on port 80 usually relate to:
      • Outdated Apache version (missing security patches)
      • Cleartext HTTP traffic (unencrypted)
      • Misconfigured modules or headers (e.g., missing security headers)
      • Directory listing or weak SSL/TLS settings (if HTTPS is also enabled)
    httpd -v

    to check the Apache version. Compare it against the latest secure version from IBM AIX Toolbox or Apache official site.

    Step 2: Apply Fixes

    Option A: Upgrade Apache httpd

    • Use dnf or rpm to update:
      dnf update httpd -y

    • Ensure you have the latest AIX Toolbox repository metadata:

    Option B: Enforce HTTPS and Disable HTTP

    • If vulnerability is due to unencrypted HTTP, configure Apache to:
      • Redirect all HTTP traffic (port 80) to HTTPS (port 443).
      • Enable SSL/TLS module:
        LoadModule ssl_module modules/mod_ssl.so
      • Configure VirtualHost for HTTPS and add: 
        RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    • Install SSL certificates (self-signed or CA-signed).

    Option C: Harden Apache Configuration

    • Disable ServerTokens and ServerSignature: 
      ServerTokens Prod
ServerSignature Off
    • Add security headers: 
      Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header always set X-XSS-Protection "1; mode=block"
    • Disable unnecessary modules.

    Step 3: Validate

    • Restart Apache:
      apachectl restart
    • Verify:
      If you redirected to HTTPS, port 80 should only serve redirects
    • Run vulnerability scan again.

    Step 4: Optional

    If you cannot disable HTTP completely (due to application dependency), at least:

    • Restrict access using firewall or Listen directive to internal IPs only.
    • Apply latest patches.


    ------------------------------
    Roshan Kumar Sa
    ------------------------------

    Original Message


Related Content