02-08-2012 07:26 AM
I am trying to find out what the embedded Apache version in various Brocade fw packages. Specifically 6.4.1a, 6.4.2b and any of the newer FOS 7.x versions. I took a look at the packages and didn’t see an apache version listed so an answer would be helpful but if you could tell me where to find this information, that would be even better.
02-09-2012 04:43 AM
Thanks, that's a helpful start. customer is getting vulnerability reports on the SAN switches. The vulnerability we are being hit with from the security scans is: 101241 HTTP port 80 reveals Apache byterange filter allows remote attackers to cause a denial of service.
The recommended fix is Upgrade to Apache httpd 2.2.21 or later or contact the vendor for a fix
I am trying to figure out if this Apache httpd version is a part of any current or future firmware package. 6.4.2a running 2.0.50 still seems far off from the version I need of 2.2.21.
02-09-2012 06:24 AM
A bit of security by obsecurtiy.
Block port 80 on the switch or allow only a few management hosts.
Block port 80 entirely and use SSH (with the effect that they SSH deamon can have an vulnerabilty as well)
Put the switch an a shielded management vlan.
02-15-2012 01:16 PM
I suspect this is what we will end up looking at, alternatives. Still interested in understanding the versions imbedded in the FOS releases and how to identify correctly.
07-26-2013 01:24 AM
we're having the same situation here, and the installed firmware is 7.0.2c. The Apache release for this release is 2.0.50.
Is there any procedure/command to check on switches which Apache version is running this firmware?
I need to send this information for Security Team.
07-26-2013 09:03 AM
Greetings marcia.ferreira. The Apache version is in fact 2.0.50. If you go to Brocade Open Source Code and scroll down, identify the closest code release you have and click it, on the next page you will see the included Apache versions. If information is needed about the vulnerabilities flagged, you can open a case with your predefined support vendor.
07-29-2013 12:51 AM
I've seen this link before, thanks. However my question is: Is there any command that I can get this information from switches. Just to send to the Security team this information.
07-29-2013 06:11 AM
Is this link what you are looking for? For each firmware version it lists the subversions for all or most of the packages
07-29-2013 06:18 AM
I know that each firmware version has an apache release (I know what this link contains).
What I'm asking is if there is any command on FOS 7.x that I can get this information from the san switches (in real time).