AIX Open Source

Hi Team,
In our qualys scan report we've found Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers. We've checked and found there are some httpd daemon possess is running.

typhoon:/root# ps -ef|grep -i httpd
nobody 4128938 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
nobody 5570794 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
nobody 5767350 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
root 5898446 1 0 Jul 17 - 5:09 /opt/freeware/apache/sbin/httpd
nobody 6029504 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd

As we have checked, seems we are using apache-1.3.31 here. Can anyone let me know If I'll upgrad this to Apache http 2.4.53 then our Server Buffer Overflow vulnerability will mitigate? If Yes then please help us the steps to installation of Apache http 2.4.53.

typhoon:/root# rpm -qf /opt/freeware/apache/sbin/httpd
apache-1.3.31-3ssl

------------------------------
Virendra Singh
------------------------------

This is a pretty old release of Apache httpd I think 2004. Also I am not sure from where did you install.
Not sure if migration will work. You may have to remove the existing httpd server and install new one. 
I think the paths for binary and conf files will also not be same. You may have to create conf files again as they might not be same as version 1.3.

You have not provided enough information about vulnerability as there were many such vulnerabilities. You should check the particular CVE if that affects the version available on AIX toolbox. All this information is available on internet. 


------------------------------
SANKET RATHI
------------------------------

Original Message:
Sent: Tue April 26, 2022 11:34 PM
From: Virendra Singh
Subject: How to mitigate Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers.

Hi Team,
In our qualys scan report we've found Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers. We've checked and found there are some httpd daemon possess is running.

typhoon:/root# ps -ef|grep -i httpd
nobody 4128938 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
nobody 5570794 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
nobody 5767350 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
root 5898446 1 0 Jul 17 - 5:09 /opt/freeware/apache/sbin/httpd
nobody 6029504 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd

As we have checked, seems we are using apache-1.3.31 here. Can anyone let me know If I'll upgrad this to Apache http 2.4.53 then our Server Buffer Overflow vulnerability will mitigate? If Yes then please help us the steps to installation of Apache http 2.4.53.

typhoon:/root# rpm -qf /opt/freeware/apache/sbin/httpd
apache-1.3.31-3ssl

------------------------------
Virendra Singh
------------------------------

Hi Sanket,
Thanks for the reply. 
The CVE for this vulnerability is CVE-2021-44790. After some googling look like this vulnerability will be resolved in http 2.4.53, but not sure. Can you please help me on that if you have something.
Also I've checked and found there are total three package related to version 1.3. So if I want to uninstall this version from server then do I need to uninstall all three packages and how could I found what are the dependent package on this version.

typhoon:/root# rpm -qa|grep -i apache
apache-devel-1.3.31-3ssl
apache-1.3.31-3ssl
apache-manual-1.3.31-3ssl.

Also for installing new version do I need to install all the below mention packages?
httpd-devel 2.4.53
httpd-manual 2.4.53
httpd 2.4.53.

Also it would be very helpful if you let me know how to install these packages using rpm utility as in my server yum utility is not installed.




------------------------------
Virendra Singh
------------------------------

Original Message:
Sent: Wed April 27, 2022 08:41 AM
From: SANKET RATHI
Subject: How to mitigate Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers.

This is a pretty old release of Apache httpd I think 2004. Also I am not sure from where did you install.
Not sure if migration will work. You may have to remove the existing httpd server and install new one. 
I think the paths for binary and conf files will also not be same. You may have to create conf files again as they might not be same as version 1.3.

You have not provided enough information about vulnerability as there were many such vulnerabilities. You should check the particular CVE if that affects the version available on AIX toolbox. All this information is available on internet. 


------------------------------
SANKET RATHI

Original Message:
Sent: Tue April 26, 2022 11:34 PM
From: Virendra Singh
Subject: How to mitigate Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers.

Hi Team,
In our qualys scan report we've found Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers. We've checked and found there are some httpd daemon possess is running.

typhoon:/root# ps -ef|grep -i httpd
nobody 4128938 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
nobody 5570794 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
nobody 5767350 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
root 5898446 1 0 Jul 17 - 5:09 /opt/freeware/apache/sbin/httpd
nobody 6029504 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd

As we have checked, seems we are using apache-1.3.31 here. Can anyone let me know If I'll upgrad this to Apache http 2.4.53 then our Server Buffer Overflow vulnerability will mitigate? If Yes then please help us the steps to installation of Apache http 2.4.53.

typhoon:/root# rpm -qf /opt/freeware/apache/sbin/httpd
apache-1.3.31-3ssl

------------------------------
Virendra Singh
------------------------------

The particular CVE says it affects httpd 2.4.51 or earlier so it should be fixed in 2.4.53.

I am not sure from where and when you installed these packages but looks like they are from same package and all should be uninstalled.
If you only want http server then httpd 2.4.53 and its dependencies should be enough to install. 
The best way to install packages from AIX toolbox is thru dnf.
If you do not have dnf and can not setup dnf then you will have to manually resolve all dependencies and that will be challenging. 

------------------------------
SANKET RATHI
------------------------------

Original Message:
Sent: Wed April 27, 2022 12:38 PM
From: Virendra Singh
Subject: How to mitigate Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers.

Hi Sanket,
Thanks for the reply. 
The CVE for this vulnerability is CVE-2021-44790. After some googling look like this vulnerability will be resolved in http 2.4.53, but not sure. Can you please help me on that if you have something.
Also I've checked and found there are total three package related to version 1.3. So if I want to uninstall this version from server then do I need to uninstall all three packages and how could I found what are the dependent package on this version.

typhoon:/root# rpm -qa|grep -i apache
apache-devel-1.3.31-3ssl
apache-1.3.31-3ssl
apache-manual-1.3.31-3ssl.

Also for installing new version do I need to install all the below mention packages?
httpd-devel 2.4.53
httpd-manual 2.4.53
httpd 2.4.53.

Also it would be very helpful if you let me know how to install these packages using rpm utility as in my server yum utility is not installed.




------------------------------
Virendra Singh

Original Message:
Sent: Wed April 27, 2022 08:41 AM
From: SANKET RATHI
Subject: How to mitigate Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers.

This is a pretty old release of Apache httpd I think 2004. Also I am not sure from where did you install.
Not sure if migration will work. You may have to remove the existing httpd server and install new one. 
I think the paths for binary and conf files will also not be same. You may have to create conf files again as they might not be same as version 1.3.

You have not provided enough information about vulnerability as there were many such vulnerabilities. You should check the particular CVE if that affects the version available on AIX toolbox. All this information is available on internet. 


------------------------------
SANKET RATHI

Original Message:
Sent: Tue April 26, 2022 11:34 PM
From: Virendra Singh
Subject: How to mitigate Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers.

Hi Team,
In our qualys scan report we've found Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers. We've checked and found there are some httpd daemon possess is running.

typhoon:/root# ps -ef|grep -i httpd
nobody 4128938 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
nobody 5570794 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
nobody 5767350 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
root 5898446 1 0 Jul 17 - 5:09 /opt/freeware/apache/sbin/httpd
nobody 6029504 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd

As we have checked, seems we are using apache-1.3.31 here. Can anyone let me know If I'll upgrad this to Apache http 2.4.53 then our Server Buffer Overflow vulnerability will mitigate? If Yes then please help us the steps to installation of Apache http 2.4.53.

typhoon:/root# rpm -qf /opt/freeware/apache/sbin/httpd
apache-1.3.31-3ssl

------------------------------
Virendra Singh
------------------------------

Hi Sanket,
Thanks for reply.
By seen the below output can you please suggest us what are the dependent packages will be removed if we uninstall apache-1.3.31-3ssl package. As I'm not sure about these dependent packages impact on my server.

Also please let me know if we've any other way to check the dependent packages.

typhoon:/root# rpm -qR apache-1.3.31-3ssl
/bin/sh
/bin/sh
/usr/bin/perl
libc.a(shr.o)
libpthread.a(shr_comm.o)
libpthread.a(shr_xpg5.o)

------------------------------
Virendra Singh
------------------------------

Original Message:
Sent: Thu April 28, 2022 01:50 PM
From: SANKET RATHI
Subject: How to mitigate Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers.

The particular CVE says it affects httpd 2.4.51 or earlier so it should be fixed in 2.4.53.

I am not sure from where and when you installed these packages but looks like they are from same package and all should be uninstalled.
If you only want http server then httpd 2.4.53 and its dependencies should be enough to install. 
The best way to install packages from AIX toolbox is thru dnf.
If you do not have dnf and can not setup dnf then you will have to manually resolve all dependencies and that will be challenging. 

------------------------------
SANKET RATHI

Original Message:
Sent: Wed April 27, 2022 12:38 PM
From: Virendra Singh
Subject: How to mitigate Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers.

Hi Sanket,
Thanks for the reply. 
The CVE for this vulnerability is CVE-2021-44790. After some googling look like this vulnerability will be resolved in http 2.4.53, but not sure. Can you please help me on that if you have something.
Also I've checked and found there are total three package related to version 1.3. So if I want to uninstall this version from server then do I need to uninstall all three packages and how could I found what are the dependent package on this version.

typhoon:/root# rpm -qa|grep -i apache
apache-devel-1.3.31-3ssl
apache-1.3.31-3ssl
apache-manual-1.3.31-3ssl.

Also for installing new version do I need to install all the below mention packages?
httpd-devel 2.4.53
httpd-manual 2.4.53
httpd 2.4.53.

Also it would be very helpful if you let me know how to install these packages using rpm utility as in my server yum utility is not installed.




------------------------------
Virendra Singh

Original Message:
Sent: Wed April 27, 2022 08:41 AM
From: SANKET RATHI
Subject: How to mitigate Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers.

This is a pretty old release of Apache httpd I think 2004. Also I am not sure from where did you install.
Not sure if migration will work. You may have to remove the existing httpd server and install new one. 
I think the paths for binary and conf files will also not be same. You may have to create conf files again as they might not be same as version 1.3.

You have not provided enough information about vulnerability as there were many such vulnerabilities. You should check the particular CVE if that affects the version available on AIX toolbox. All this information is available on internet. 


------------------------------
SANKET RATHI

Original Message:
Sent: Tue April 26, 2022 11:34 PM
From: Virendra Singh
Subject: How to mitigate Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers.

Hi Team,
In our qualys scan report we've found Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers. We've checked and found there are some httpd daemon possess is running.

typhoon:/root# ps -ef|grep -i httpd
nobody 4128938 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
nobody 5570794 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
nobody 5767350 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
root 5898446 1 0 Jul 17 - 5:09 /opt/freeware/apache/sbin/httpd
nobody 6029504 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd

As we have checked, seems we are using apache-1.3.31 here. Can anyone let me know If I'll upgrad this to Apache http 2.4.53 then our Server Buffer Overflow vulnerability will mitigate? If Yes then please help us the steps to installation of Apache http 2.4.53.

typhoon:/root# rpm -qf /opt/freeware/apache/sbin/httpd
apache-1.3.31-3ssl

------------------------------
Virendra Singh
------------------------------

All the packages mentioned as dependent are AIX base you should not remove any of that.
Just remove apache packages and install httpd and its dependencies.

------------------------------
SANKET RATHI
------------------------------

Original Message:
Sent: Thu April 28, 2022 02:03 PM
From: Virendra Singh
Subject: How to mitigate Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers.

Hi Sanket,
Thanks for reply.
By seen the below output can you please suggest us what are the dependent packages will be removed if we uninstall apache-1.3.31-3ssl package. As I'm not sure about these dependent packages impact on my server.

Also please let me know if we've any other way to check the dependent packages.

typhoon:/root# rpm -qR apache-1.3.31-3ssl
/bin/sh
/bin/sh
/usr/bin/perl
libc.a(shr.o)
libpthread.a(shr_comm.o)
libpthread.a(shr_xpg5.o)

------------------------------
Virendra Singh

Original Message:
Sent: Thu April 28, 2022 01:50 PM
From: SANKET RATHI
Subject: How to mitigate Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers.

The particular CVE says it affects httpd 2.4.51 or earlier so it should be fixed in 2.4.53.

I am not sure from where and when you installed these packages but looks like they are from same package and all should be uninstalled.
If you only want http server then httpd 2.4.53 and its dependencies should be enough to install. 
The best way to install packages from AIX toolbox is thru dnf.
If you do not have dnf and can not setup dnf then you will have to manually resolve all dependencies and that will be challenging. 

------------------------------
SANKET RATHI

Original Message:
Sent: Wed April 27, 2022 12:38 PM
From: Virendra Singh
Subject: How to mitigate Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers.

Hi Sanket,
Thanks for the reply. 
The CVE for this vulnerability is CVE-2021-44790. After some googling look like this vulnerability will be resolved in http 2.4.53, but not sure. Can you please help me on that if you have something.
Also I've checked and found there are total three package related to version 1.3. So if I want to uninstall this version from server then do I need to uninstall all three packages and how could I found what are the dependent package on this version.

typhoon:/root# rpm -qa|grep -i apache
apache-devel-1.3.31-3ssl
apache-1.3.31-3ssl
apache-manual-1.3.31-3ssl.

Also for installing new version do I need to install all the below mention packages?
httpd-devel 2.4.53
httpd-manual 2.4.53
httpd 2.4.53.

Also it would be very helpful if you let me know how to install these packages using rpm utility as in my server yum utility is not installed.




------------------------------
Virendra Singh

Original Message:
Sent: Wed April 27, 2022 08:41 AM
From: SANKET RATHI
Subject: How to mitigate Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers.

This is a pretty old release of Apache httpd I think 2004. Also I am not sure from where did you install.
Not sure if migration will work. You may have to remove the existing httpd server and install new one. 
I think the paths for binary and conf files will also not be same. You may have to create conf files again as they might not be same as version 1.3.

You have not provided enough information about vulnerability as there were many such vulnerabilities. You should check the particular CVE if that affects the version available on AIX toolbox. All this information is available on internet. 


------------------------------
SANKET RATHI

Original Message:
Sent: Tue April 26, 2022 11:34 PM
From: Virendra Singh
Subject: How to mitigate Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers.

Hi Team,
In our qualys scan report we've found Apache Hypertext Transfer Protocol (HTTP) Server Buffer Overflow Vulnerability for our AIX servers. We've checked and found there are some httpd daemon possess is running.

typhoon:/root# ps -ef|grep -i httpd
nobody 4128938 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
nobody 5570794 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
nobody 5767350 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd
root 5898446 1 0 Jul 17 - 5:09 /opt/freeware/apache/sbin/httpd
nobody 6029504 5898446 0 Jul 17 - 0:05 /opt/freeware/apache/sbin/httpd

As we have checked, seems we are using apache-1.3.31 here. Can anyone let me know If I'll upgrad this to Apache http 2.4.53 then our Server Buffer Overflow vulnerability will mitigate? If Yes then please help us the steps to installation of Apache http 2.4.53.

typhoon:/root# rpm -qf /opt/freeware/apache/sbin/httpd
apache-1.3.31-3ssl

------------------------------
Virendra Singh
------------------------------