Skip to main content

Apache vulnerability in 2.4.49

Comments

46 comments

  • cPRex Jurassic Moderator
    Hey there! We're going to be releasing an update tomorrow that will take care of this, and if your server receives automatic updates there is nothing else you need to do on your end.
    0
  • ciao70
    Ash Daulton and cPanel Security Team have been credited with discovering and reporting the issue on September 29, 2021. :)
    0
  • cPRex Jurassic Moderator
    I wasn't going to brag!
    0
  • Jim M
    I suspected an update would be imminent... Thanks for the info, and well-done on spotting the bug! :cool:
    0
  • h4f
    Are you going to issue an Apache 2.4.50 update for WHM v86.0.40 ?
    0
  • rscalover
    I get tons of such requests but the good news is imunify360 is blocking them also lots of "wannabe hackers" who are simply to stupid :)
    0
  • ciao70
    Are you going to issue an Apache 2.4.50 update for WHM v86.0.40 ?

    Hello, easy apache continues to work on Cpanel 86 ;)
    0
  • cPRex Jurassic Moderator
    @h4f - Apache updates are independent of the cPanel version. That being said, you should get the machine updated to a supported version of cPanel as there are likely other security issues present.
    0
  • h4f
    @cPRex You wrote " We're going to be releasing an update tomorrow that will take care of this, and if your server receives automatic updates there is nothing else you need to do on your end. " I don't see new Apache being pushed on 86.0.40.
    0
  • cPRex Jurassic Moderator
    You won't ever see an Apache update tied to a specific version of cPanel. You can see yearly changelogs for the service here:
    0
  • vacancy
    CVE-2021-41773 and
    0
  • ciao70
    So it suggests that you need to recompile on each server Apache yourself and there will not be pushed an update. On second thought: Apache Update 2.4.49 was released on 2021-09-16 because of CVE-2021-40438 and that was pushed automatically to 86.0.40. So the question is still the same, is 86.0.40 going to get 2.4.50 or must admin do everything manually themselves? Did anyone else with latest current version of CPANEL get 2.4.50 or also not yet?

    Hello, It was just released via Easy apache
    0
  • itnext
    Soooo... Im not quite following - it seems that CPRex suggested that a new update was due but it hasnt landed yet?
    0
  • cPRex Jurassic Moderator
    As @ciao70 posted, the update is now live as it was released earlier today. What I have been saying is there is no relationship to the cPanel version and to the EasyApache version on the system as Apache and PHP packages are managed directly through their respective RPMs in EasyApache 4. If this were the old EasyApache 3 system, yes, you would have needed to manually recompile Apache and PHP on the server to get the update. Now, with everything being RPM based, this happens automatically as long as your updated are set to automatic. Does that help clear things up?
    0
  • itnext
    I had checked for updates before posting but it seems an update has dropped since then :) After running update my Apache still says 2.4.49 Server Version: Apache/2.4.49 (cPanel) OpenSSL/1.1.1g mod_bwlimited/1.4 Server MPM: prefork Server Built: Sep 29 2021 17:23:18
    0
  • cPRex Jurassic Moderator
    Did you run "yum update" on that system?
    0
  • itnext
    No. The post says the system will update automatically. I did run System Update which based on its output does the same thing as yum update which I have run just now... yum update Last metadata expiration check: 2:25:52 ago on Thu 07 Oct 2021 05:36:25 AM AEDT. Dependencies resolved. Nothing to do. Complete! Still on 2.4.49
    0
  • cPRex Jurassic Moderator
    The system will update automatically as part of the overnight updates, although a manual "yum update" will work just the same. If you're not seeing the package as part of an update to the system, there's likely some other reason that isn't getting downloaded. You're welcome to submit a ticket to our team so we can check the server, as this is one of those things that should just work.
    0
  • itnext
    Thanks CPRex - Ill open a ticket.
    0
  • cPRex Jurassic Moderator
    Could you post the number here so I can follow along?
    0
  • itnext
    Ticket 94370826
    0
  • cPRex Jurassic Moderator
    Thanks for that - I'm following along with that now on my end.
    0
  • itnext
    Brian has replied. He ran the same and this time there was an update available... I am now on 2.4.50 It suggests the update was not yet available or not yet on all update servers? thanks for your help.
    0
  • rscalover
    Hello, i did run yum update but the only update that appeared was an update to apache module mod_bwlimited so cpanel why on earth are you making this so complicated ?????? httpd -v Server version: Apache/2.4.48 (cPanel) <<-- i don't like this Server built: Aug 19 2021 14:52:05
    0
  • h4f
    Hi, thank you all for your reply. I can confirm with automatic update enabled for WHM 86.0.40 has received httpd -v Server version: Apache/2.4.50 (cPanel)
    0
  • LBJ
    G'day rscalover,
    Hello, i did run yum update but the only update that appeared was an update to apache module mod_bwlimited so cpanel why on earth are you making this so complicated ?????? httpd -v Server version: Apache/2.4.48 (cPanel) <<-- i don't like this Server built: Aug 19 2021 14:52:05

    Is it possible you're running CloudLInux for your ea-* updates? The ETA for 100% rollout in that case is October, 13. Alternatively, you can force an immediate update with... yum update ea-* --enablerepo=cloudlinux-ea4-rollout-2-bypass Best regards, LBJ
    0
  • rscalover
    G'day rscalover, Is it possible you're running CloudLInux for your ea-* updates? The ETA for 100% rollout in that case is October, 13. Alternatively, you can force an immediate update with... yum update ea-* --enablerepo=cloudlinux-ea4-rollout-2-bypass Best regards, LBJ

    No my os is centos 7.9 wen i run yum check-update i do see EA4 show up in the list but it says there is no update strange
    0
  • LBJ
    No my os is centos 7.9 wen i run yum check-update i do see EA4 show up in the list but it says there is no update strange

    What output does the following generate... yum list ea-apache24.x* Best regards, LBJ
    0
  • rscalover
    yum list ea-apache24.x*

    Your command produces this outputea-apache24.x86_64 1:2.4.48-5.el7.cloudlinux @imunify360-ea-php-hardened
    so i guess i have to wait for imunify
    0

Please sign in to leave a comment.