Fibre Channel (SAN)

Reply
Occasional Contributor
Posts: 5
Registered: ‎11-04-2009

Apache version needed due to vulnerability being flagged.

Hello,

I am trying to find out what the embedded Apache version in various Brocade fw packages.  Specifically 6.4.1a, 6.4.2b and any of the newer FOS 7.x versions.  I took a look at the packages and didn’t see an apache version listed so an answer would be helpful but if you could tell me where to find this information, that would be even better.

Thanks,
Gary

Valued Contributor
Posts: 761
Registered: ‎06-11-2010

Re: Apache version needed due to vulnerability being flagged.

If it does, on v6.4.2a, Apache/2.0.50 is the version running.

Occasional Contributor
Posts: 5
Registered: ‎11-04-2009

Re: Apache version needed due to vulnerability being flagged.

Thanks, that's a helpful start.  customer is getting vulnerability reports on the SAN switches.  The vulnerability we are being hit with from the security scans is:  101241  HTTP port 80 reveals Apache byterange filter allows remote attackers to cause a denial of service.

The recommended fix is Upgrade to Apache httpd 2.2.21 or later or contact the vendor for a fix

I am trying to figure out if this Apache httpd version is a part of any current or future firmware package.  6.4.2a running 2.0.50 still seems far off from the version I need of 2.2.21.

Thanks again,

Gary

Valued Contributor
Posts: 931
Registered: ‎12-30-2009

Re: Apache version needed due to vulnerability being flagged.

A bit of security by obsecurtiy.

Few options

Block port 80 on the switch or allow only a few management hosts.

Block port 80 entirely and use SSH (with the effect that they SSH deamon can have an vulnerabilty as well)

Put the switch an a shielded management vlan.

Occasional Contributor
Posts: 5
Registered: ‎11-04-2009

Re: Apache version needed due to vulnerability being flagged.

Thank you,

I suspect this is what we will end up looking at, alternatives.  Still interested in understanding the versions imbedded in the FOS releases and how to identify correctly.

Thanks again.

Contributor
Posts: 31
Registered: ‎10-08-2012

Re: Apache version needed due to vulnerability being flagged.

Hi,

we're having the same situation here, and the installed firmware is 7.0.2c. The Apache release for this release is 2.0.50.

Is there any  procedure/command to check on switches which Apache version is running this firmware?

I need to send this information for Security Team.

regards

Marcia

Super Contributor
Posts: 445
Registered: ‎04-08-2009

Re: Apache version needed due to vulnerability being flagged.

Greetings marcia.ferreira.  The Apache version is in fact 2.0.50.  If you go to Brocade Open Source Code and scroll down, identify the closest code release you have and click it, on the next page you will see the included Apache versions.  If information is needed about the vulnerabilities flagged, you can open a case with your predefined support vendor.

Regards,

Mike Eversole
Brocade Community Manager
Contributor
Posts: 31
Registered: ‎10-08-2012

Re: Apache version needed due to vulnerability being flagged.

Hi Mike

I've seen this link before, thanks. However my question is: Is there any command that I can get this information from switches. Just to send to the Security team this information.

cheers

Marcia

Contributor
Posts: 21
Registered: ‎10-09-2008

Re: Apache version needed due to vulnerability being flagged.


Is this link what you are looking for?   For each firmware version it lists the subversions for all or most of the packages

Brocade Open Source Code

jmm
Contributor
Posts: 31
Registered: ‎10-08-2012

Re: Apache version needed due to vulnerability being flagged.

Hi Jimm

I know that each firmware version has an apache release (I know what this link contains).

What I'm asking is if there is any command on FOS 7.x that I can get this information from the san switches (in real time).

cheers

Marcia

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook