Apache 2.4.x < 2.4.56 Multiple Vulnerabilities

bdeen · ‎07-18-2023

I have a scan vulnerability that my apache is less the 2.4.56, I just installed the latest update from VMware 7.0.3.01600 for my vcenter.

when i checked the apache version, its still showing 2.4. 54.

Sachchidanand · ‎07-18-2023

As per the release note, this version is not a fix update:

VMware vCenter Server 7.0 Update 3n Release Notes serves as a vehicle for the VMware vSphere with Tanzu Release Notes and does not deliver vCenter Server fixes.

Regards,

Sachchidanand

VMGUY5 · ‎07-19-2023

This vulnerability has been out for a while and VMware has produced many patches since this was first reported. Why have they not upgrade Apache yet?

GeoPerkins · ‎07-20-2023

I'm interested in a solution here as well.

Apache Tomcat CVE's:

CVE-2019-17569 HTTP Request Smuggling with reverse proxy code regression (Fixed Apache Tomcat 9.0.31)

CVE-2020-1935 HTTP Request Smuggling (fixed Apache Tomcat 9.0.30)

CVE-2020-1938 file read/inclusion vulnerability in the AJP connector (Fixed Apache Tomcat 9.0.31)

CVE-2021-44228 Apache Log4j logging library (fixed in Log4j 2.17.1)

Are these addressed by VMware and why not using the newest Apache?

juankathens · ‎10-24-2023

Still nothing as of Oct 24, 2023.