Apache

Summary

Upgrade on Debian

Versions

• Supported versions on apache: https://packages.debian.org/search?searchon=names&keywords=apache2
  • apps-4 current version on Debian 10

Server version: Apache/2.4.38 (Debian)

• on Debian 10 with backports is 2.4.52-1

https://packages.debian.org/buster-backports/apache2

• on Debian 11 is 2.4.53-1 https://packages.debian.org/bullseye/apache2

Issues

1. Linux OS and packages are not patched/updated regularly, manage server broken

Solutions

1. Apache HTTP Server mod_proxy SSRF: update apache to latest supported https://www.acunetix.com/vulnerabilities/web/apache-http-server-mod_proxy-ssrf-cve-2021-40438/#:~:text=Description,forgery)%20attacks%20on%20the%20server.

Things to do to start

1. update apache on Debian 11 to latest and rescan the app
2. update apache with backports on Debian 10 and rescan

Apache, Debian 11, issues from vulnerability report

1. 150456 Apache HTTP Server NULL pointer dereference and Server Side Request Forgery (SSRF) Vulnerability (CVE-2021-44224)
2. 150461 Apache HTTP Server mod_proxy Server Side Request Forgery (SSRF) Vulnerability (CVE-2021-40438)
3. 150462 Apache HTTP Server Buffer Overflow Vulnerability (CVE-2021-44790)
4. 150398 Apache HTTP Server Multiple Vulnerabilities(CVE-2021-26690,CVE-2021-26691)
5. 150399 Apache HTTP Server Multiple Vulnerabilities (CVE-2021-34798,CVE-2021-39275)
6. 150400 Apache HTTP Server HTTP/2 Method injection (CVE-2021-33193)

7.150401 Apache HTTP Server Out of bounds read - DoS (CVE-2021-36160)

Upgrading

<2022-05-18 Wed> Current apps-1.test Debian 9: Apache 2.4.25 apps-2 Debian 10: Apache 2.4.32 https://readmission.test.kfupm.edu.sa/ar/ apps-3 Debian 9: Apache 2.4.25 apps-4 Debian 10: Apache 2.4.52 https://dsr-incentives.test.kfupm.edu.sa/

Meetings

Applying patches to Debian 10 and Setting deadlines to upgrade OS

Renad

1. [DONE] Decommission:
2. [ x ] 1. trends

<2022-05-29 Sun> removed.

1. [INPROGRESS] Upgrade Debian 8 files.kfupm <2022-06-02 Thu>

   • still running
     • internal service, still required.

2. [INPROGRESS] Reconcile the inventory of Debian 8 and Debian 9

<2022-06-02 Thu>

• 113 machines needs be checked

  • total 700 machines machines

    • poweroff 113
    • 687 machines are running both linux and windows
      • 348 windows
    • linux 339 Linux
      • 159 redhad machines
        • 120 Include Debian machines, Ubuntu, Centos and Free BSD, Suse

• [INPROGRESS] provision apps-6.test, 32 RAM, 200 GB Storage deadline <2022-05-31 Tue>

• confirm with Windows teams and decommission password.kfupm.edu.sa still in use

Akber

1. Apache role add task to check OS version and if Debian 10 install it from buster-backport <2022-05-31 Tue>

Jaaved

• Services, NonDjango

  1. tasks.kfupm.edu.sa
  2. muhtawa.kfupm.edu.sa [not upgraded]
  3. https://lemu.kfupm.edu.sa/reserve/ confirm if this is Django?
  4. code.kfupm.edu.sa

• Applications

  1. apps-1 : Debian 9
  2. apps-3: Debian 9 to Debian 11 Upgrade

  Deadline: <2022-06-29 Wed>

Applications with site map information

1. https://docs.kfupm.edu.sa/apps/alumni/generated-from-code.html

2. https://docs.kfupm.edu.sa/apps/dsr-incentives/generated-from-code.html

3. https://docs.kfupm.edu.sa/apps/graduate-assistantship/generated-from-code.html

4. https://docs.kfupm.edu.sa/apps/tahani/generated-from-code.html