Re: Vcenter 6.7 and Apache HTTP Server 2.4.49 (CVE...

panizzag · ‎10-29-2021

I have a vulnerability on VCenter 6.7 on ports 6501 and 6502 because of Apache http server 2.4.49. The Apache recommendation is to update to Apache HTTP Server 2.4.51.

Is there a VMware patch for this? SHould I update Apache from the VCenter or download Apache from any repository?

Ajay1988 · ‎11-01-2021

Is there a VMware patch for this? Not Yet. VMware is aware of this and is working on a fix. Mostly Q1 2022 .

Should I update Apache from the VCenter or download Apache from any repository? Wait for the new VC Patch with the fix.

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

KimSuarez · ‎11-29-2021

Any updates on this? I see the newer version already here https://network.pivotal.io/products/p-apache-http-server

but nothing from Vcenter yet

lhedrick · ‎12-22-2021

The Apache Software Foundation has released Apache HTTP Server 2.4.52. This version addresses vulnerabilities—CVE-2021-44790 and CVE-2021-44224—one of which may allow a remote attacker to take control of an affected system.

sbarutas · ‎01-04-2022

Hello , Does anyone have an update regarding this ? did vmware include a fix into vcenter server update ?

lhedrick · ‎01-04-2022

I would say that the patch will probably be included in this patch for this issue...
https://www.vmware.com/security/advisories/VMSA-2021-0028.html

Bunce · ‎03-15-2022

Has this been fixed yet? We're running latest vCenter release and 6501 and 6502 scans are still showing Apache 2.4.51..

irievibe · ‎03-22-2022

knock knock... is anyone home at vmware / dell / vcloud air, whatever you are now (aka checked out)
our vCenter is about to be blocked by our SOC. . . Please address this issue. It's been 4 months. I've seen jr techs write code faster than this... you don't even have to write the code! Just upgrade Apache please

vmware-tech1 · ‎03-28-2022

Would like to resolution for this issue as well.

sbarutas · ‎04-28-2022

Do we have any update regarding this ?

Ajay1988 · ‎04-29-2022

It already fixed for vCenter 7.0 .

vCenter Server 7.0 Update 3d (7.0.3.00500)

2022-03-29

19480866

root@is-dhcp39-136 [ ~ ]# rpm -qa | grep "httpd"
httpd-2.4.51-1.ph3.x86_64
root@is-dhcp39-136 [ ~ ]# vpxd -v
VMware VirtualCenter 7.0.3 build-19480866

For 6.7 ; there is work in progress. But will suggest all to move to 7.0 as 6.5 and 6.7 as reaching EOL on 15th Oct 2022.

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

Martijn_a · ‎04-29-2022

Same here.

CVE-2021-44224 isn't fixed in the latest version 7.0(running 7.0.3.00500.

https://nvd.nist.gov/vuln/detail/CVE-2021-44224

Installed version : 2.4.51
Fixed version : 2.4.52

rpm -qa | grep "httpd"
vmware-studio-vami-lighttpd-3.0.0.7-18281789.x86_64
httpd-2.4.51-1.ph3.x86_64

vpxd -v
VMware VirtualCenter 7.0.3 build-19480866

Changelog doesn't show anything about CVE2021-44224

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3d-release-notes.html#sec...

Ajay1988 · ‎04-29-2022

This post started for CVE-2021-41773 . So I was talking about that.

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

Ajay1988 · ‎04-29-2022

For CVE-2021-44224 ; fix will be in future. ETA for 6.7 line will be June and for 7.0 line will be July.

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

Martijn_a · ‎04-29-2022

CVSS3 Score: 8.2 - HIGHSo customers will need too accept this risk until july? Isn't that unaccaptable too long?

Ajay1988 · ‎04-29-2022

I cannot comment much on those lines.
Feel free to have a SR filed and check if that can be early .I said what I could find.

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

Jabur1 · ‎07-11-2022

saibhageerath · ‎09-09-2022

What is the procedure we need to follow for upgrade Apache version 8.4.51 to 8.4.54 on vcenter 7.0?

panizzag · ‎09-09-2022

you have to wait that VMware includes the new Apache version into an update patch.

All

Vcenter 6.7 and Apache HTTP Server 2.4.49 (CVE-2021-41773) Vulnerability

CVSS3 Score: 8.2 - HIGHSo customers will need too accept this risk until july? Isn't that unaccaptable too long?