KB Article #: KB0023358
Applies to: Prior to v22.214.171.124
Issue: Security vulnerabilities fixes.
Following is the list of security vulnerabilities related to Apache which would be fixed by upgrading to 2.4.28:
|1||Apache HTTPD: mod_mime Buffer Overread (CVE-2017-7679)||Critical|
|2||Apache HTTPD: ap_get_basic_auth_pw() Authentication Bypass (CVE-2017-3167)||Critical|
|3||Apache HTTPD: mod_ssl Null Pointer Dereference (CVE-2017-3169)||Critical|
|4||Apache HTTPD: Uninitialized memory reflection in mod_auth_digest (CVE-2017-9788)||Severe|
|5||OpenSSL Truncated packet could crash via OOB read (CVE-2017-3731)||Severe|
|6||OpenSSL Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)||Severe|
|7||Apache HTTPD: Apache HTTP Request Parsing Whitespace Defects (CVE-2016-8743)||Severe|
|8||Apache HTTPD: HTTP_PROXY environment variable “httpoxy” mitigation (CVE-2016-5387)||Severe|
|9||TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)||Severe|
|10||Apache HTTPD: Use-after-free when using <Limit > with an unrecognized method in .htaccess (“OptionsBleed”) (CVE-2017-9798)||Severe|
Official link located here.
Steps to upgrade:
The Apache as a Windows Service would be upgraded to 2.4.28 with all the default functionalities provided by Ephesoft. However, the custom changes cannot be migrated automatically. This is because the configuration files are not in defined format and many modules have changed/added from Apache 2.2 to Apache 2.4. For migration steps please refer the documentation here.
It can be upgraded by following the below steps: –
- Stop the Ephesoft sever.
- Stop the windows service by the name of “Ephesoft Web Service”.
- Download and extract the Apache folder from here.
- Place the extracted folder (Apache24) at ‘<Ephesoft-Installation-Directory>/’.
- Delete the windows service “EphesoftWebService”.
sc delete EphesoftWebService
- Open the file locate at ‘<Ephesoft-Installation-Directory>/Apache24/conf/httpd.conf’.
- Edit the following property to the correct path of Apache24: –
Define SRVROOT “<Ephesoft-Installation-Directory>/Apache24”.
- Make the custom changes as per migration steps defined here.
- Restart the Ephesoft Server.
- Install and start the Apache as windows service by executing ‘<Ephesoft-Installation-Directory>/Apache24/installandstart.bat’.