I have a vulnerability on VCenter 6.7 on ports 6501 and 6502 because of Apache http server 2.4.49. The Apache recommendation is to update to Apache HTTP Server 2.4.51.
Is there a VMware patch for this? SHould I update Apache from the VCenter or download Apache from any repository?
Is there a VMware patch for this? Not Yet. VMware is aware of this and is working on a fix. Mostly Q1 2022 .
Should I update Apache from the VCenter or download Apache from any repository? Wait for the new VC Patch with the fix.
Any updates on this? I see the newer version already here https://network.pivotal.io/products/p-apache-http-server
but nothing from Vcenter yet
The Apache Software Foundation has released Apache HTTP Server 2.4.52. This version addresses vulnerabilities—CVE-2021-44790 and CVE-2021-44224—one of which may allow a remote attacker to take control of an affected system.
Hello , Does anyone have an update regarding this ? did vmware include a fix into vcenter server update ?
I would say that the patch will probably be included in this patch for this issue...
https://www.vmware.com/security/advisories/VMSA-2021-0028.html
Has this been fixed yet? We're running latest vCenter release and 6501 and 6502 scans are still showing Apache 2.4.51..
knock knock... is anyone home at vmware / dell / vcloud air, whatever you are now (aka checked out)
our vCenter is about to be blocked by our SOC. . . Please address this issue. It's been 4 months. I've seen jr techs write code faster than this... you don't even have to write the code! Just upgrade Apache please
Would like to resolution for this issue as well.
Do we have any update regarding this ?
It already fixed for vCenter 7.0 .
vCenter Server 7.0 Update 3d (7.0.3.00500) | 2022-03-29 | 19480866 | 19480866 |
root@is-dhcp39-136 [ ~ ]# rpm -qa | grep "httpd"
httpd-2.4.51-1.ph3.x86_64
root@is-dhcp39-136 [ ~ ]# vpxd -v
VMware VirtualCenter 7.0.3 build-19480866
For 6.7 ; there is work in progress. But will suggest all to move to 7.0 as 6.5 and 6.7 as reaching EOL on 15th Oct 2022.
Same here.
CVE-2021-44224 isn't fixed in the latest version 7.0(running 7.0.3.00500.
https://nvd.nist.gov/vuln/detail/CVE-2021-44224
Installed version : 2.4.51
Fixed version : 2.4.52
rpm -qa | grep "httpd"
vmware-studio-vami-lighttpd-3.0.0.7-18281789.x86_64
httpd-2.4.51-1.ph3.x86_64
vpxd -v
VMware VirtualCenter 7.0.3 build-19480866
Changelog doesn't show anything about CVE2021-44224
This post started for CVE-2021-41773 . So I was talking about that.
For CVE-2021-44224 ; fix will be in future. ETA for 6.7 line will be June and for 7.0 line will be July.
I cannot comment much on those lines.
Feel free to have a SR filed and check if that can be early .I said what I could find.
What is the procedure we need to follow for upgrade Apache version 8.4.51 to 8.4.54 on vcenter 7.0?
you have to wait that VMware includes the new Apache version into an update patch.