panizzag
Contributor
Contributor

Vcenter 6.7 and Apache HTTP Server 2.4.49 (CVE-2021-41773) Vulnerability

I have a vulnerability on VCenter 6.7 on ports 6501 and 6502 because of Apache http server 2.4.49. The Apache recommendation is to update to Apache HTTP Server 2.4.51.

Is there a VMware patch for this? SHould I update Apache from the VCenter or download Apache from any repository?

15 Replies
Ajay1988
VMware Employee
VMware Employee

Is there a VMware patch for this?  Not Yet. VMware is aware of this and is working on a fix. Mostly Q1 2022 . 

Should I update Apache from the VCenter or download Apache from any repository?  Wait for the new VC Patch with the fix. 

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
KimSuarez
Contributor
Contributor

Any updates on this? I see the newer version already here https://network.pivotal.io/products/p-apache-http-server

but nothing from Vcenter yet

 

0 Kudos
lhedrick
Enthusiast
Enthusiast

The Apache Software Foundation has released Apache HTTP Server 2.4.52. This version addresses vulnerabilities—CVE-2021-44790 and CVE-2021-44224—one of which may allow a remote attacker to take control of an affected system.

sbarutas
Contributor
Contributor

Hello , Does anyone have an update regarding this ? did vmware include a fix into vcenter server update ?

0 Kudos
lhedrick
Enthusiast
Enthusiast

I would say that the patch will probably be included in this patch for this issue...
https://www.vmware.com/security/advisories/VMSA-2021-0028.html

 

0 Kudos
Bunce
Contributor
Contributor

Has this been fixed yet?  We're running latest vCenter release and 6501 and 6502 scans are still showing Apache 2.4.51..

0 Kudos
irievibe
Contributor
Contributor

knock knock... is anyone home at vmware / dell / vcloud air, whatever you are now (aka checked out)
our vCenter is about to be blocked by our SOC. . . Please address this issue. It's been 4 months. I've seen jr techs write code faster than this... you don't even have to write the code! Just upgrade Apache please

vmware-tech1
Contributor
Contributor

Would like to resolution for this issue as well.

sbarutas
Contributor
Contributor

Do we have any update regarding this ?

Ajay1988
VMware Employee
VMware Employee

It already fixed for vCenter 7.0 . 

vCenter Server 7.0 Update 3d (7.0.3.00500)2022-03-291948086619480866

 

root@is-dhcp39-136 [ ~ ]# rpm -qa | grep "httpd"
httpd-2.4.51-1.ph3.x86_64
root@is-dhcp39-136 [ ~ ]# vpxd -v
VMware VirtualCenter 7.0.3 build-19480866

 

For 6.7 ; there is work in progress. But will suggest all to move to 7.0 as 6.5 and 6.7 as reaching EOL on 15th Oct 2022. 

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
0 Kudos
Martijn_a
Contributor
Contributor

Same here.

CVE-2021-44224 isn't fixed in the latest version 7.0(running 7.0.3.00500.

https://nvd.nist.gov/vuln/detail/CVE-2021-44224

Installed version : 2.4.51
Fixed version : 2.4.52

rpm -qa | grep "httpd"
vmware-studio-vami-lighttpd-3.0.0.7-18281789.x86_64
httpd-2.4.51-1.ph3.x86_64

vpxd -v
VMware VirtualCenter 7.0.3 build-19480866

Changelog doesn't show anything about CVE2021-44224

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3d-release-notes.html#sec...

 

 

 

 

0 Kudos
Ajay1988
VMware Employee
VMware Employee

This post started for CVE-2021-41773 . So I was talking about that.

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
0 Kudos
Ajay1988
VMware Employee
VMware Employee

For CVE-2021-44224 ; fix will be in future. ETA for 6.7 line will be June and for 7.0 line will be July.

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
0 Kudos
Martijn_a
Contributor
Contributor

CVSS3 Score: 8.2 - HIGHSo customers will need too accept this risk until july? Isn't that unaccaptable too long?

0 Kudos
Ajay1988
VMware Employee
VMware Employee

I cannot comment much on those lines.
Feel free to have a SR filed and check if that can be early .I said what I could find. 

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
0 Kudos