Apache vulnerability in 2.4.49

[Jim M]

There are reports today of a zero-day vulnerability in Apache 2.4.49, which seems to be the standard version in use on cPanel servers.

Apache fixes actively exploited web server zero-day

The Apache Software Foundation has released on Monday a security patch to address a vulnerability in its HTTP Web Server project that has been actively exploited in the wild.

therecord.media

There is a new version released which patches it, 2.4.50, but running a yum update on servers does not update. Any idea when this will be incorporated by cPanel?

 

[cPRex]

Hey there! We're going to be releasing an update tomorrow that will take care of this, and if your server receives automatic updates there is nothing else you need to do on your end.

 

[ciao70]

Ash Daulton and cPanel Security Team have been credited with discovering and reporting the issue on September 29, 2021.

Apache Warns of Zero-Day Exploit in the Wild — Patch Your Web Servers Now!

A zero-day vulnerability in Apache Web Server has been found in the wild — patch now

thehackernews.com

 

[cPRex]

I wasn't going to brag!

 

[Jim M]

I suspected an update would be imminent...

Thanks for the info, and well-done on spotting the bug!

 

[h4f]

Are you going to issue an Apache 2.4.50 update for WHM v86.0.40 ?

 

[rscalover]

I get tons of such requests but the good news is imunify360 is blocking them also lots of "wannabe hackers" who are simply to stupid

 

[ciao70]

Are you going to issue an Apache 2.4.50 update for WHM v86.0.40 ?

Hello,

easy apache continues to work on Cpanel 86

 

[cPRex]

@h4f - Apache updates are independent of the cPanel version. That being said, you should get the machine updated to a supported version of cPanel as there are likely other security issues present.

 

[h4f]

@cPRex You wrote " We're going to be releasing an update tomorrow that will take care of this, and if your server receives automatic updates there is nothing else you need to do on your end. "

I don't see new Apache being pushed on 86.0.40.

 

[cPRex]

You won't ever see an Apache update tied to a specific version of cPanel. You can see yearly changelogs for the service here:

Change Logs | cPanel & WHM Documentation

docs.cpanel.net

and you'll see each one has this note: "EasyApache 4 does not use versioning and organizes changes by date only."

 

[h4f]

You won't ever see an Apache update tied to a specific version of cPanel. You can see yearly changelogs for the service here:

Change Logs | cPanel & WHM Documentation

docs.cpanel.net

and you'll see each one has this note: "EasyApache 4 does not use versioning and organizes changes by date only."

So it suggests that you need to recompile on each server Apache yourself and there will not be pushed an update.

On second thought:

Apache Update 2.4.49 was released on 2021-09-16 because of CVE-2021-40438 and that was pushed automatically to 86.0.40.

So the question is still the same, is 86.0.40 going to get 2.4.50 or must admin do everything manually themselves?

Did anyone else with latest current version of CPANEL get 2.4.50 or also not yet?

 

[vacancy]

EasyApache 4 October 6 Release

EasyApache 4 October 6 Release We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4! Take a look at some highlights below, and then join us on the cPanel Community Forums, Discord, or Reddit to talk about this update and much more. If you have additional...

forums.cpanel.net

• EA-10157: Update ea-apache2 to 2.4.50, drop 2.4.49 (with fixes for CVE-2021-41773 and CVE-2021-41524).

 

[ciao70]

So it suggests that you need to recompile on each server Apache yourself and there will not be pushed an update.

On second thought:

Apache Update 2.4.49 was released on 2021-09-16 because of CVE-2021-40438 and that was pushed automatically to 86.0.40.

So the question is still the same, is 86.0.40 going to get 2.4.50 or must admin do everything manually themselves?

Did anyone else with latest current version of CPANEL get 2.4.50 or also not yet?

Hello,

It was just released via Easy apache

EasyApache 4 October 6 Release

EasyApache 4 October 6 Release We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4! Take a look at some highlights below, and then join us on the cPanel Community Forums, Discord, or Reddit to talk about this update and much more. If you have additional...

forums.cpanel.net

If the automatic update of Easy apache is active it will also update on Cpanel 86.0.40 as already happened for 2.4.49

 

[itnext]

Soooo... Im not quite following - it seems that CPRex suggested that a new update was due but it hasnt landed yet?

 

[cPRex]

As @ciao70 posted, the update is now live as it was released earlier today. What I have been saying is there is no relationship to the cPanel version and to the EasyApache version on the system as Apache and PHP packages are managed directly through their respective RPMs in EasyApache 4. If this were the old EasyApache 3 system, yes, you would have needed to manually recompile Apache and PHP on the server to get the update. Now, with everything being RPM based, this happens automatically as long as your updated are set to automatic.

Does that help clear things up?

 

[itnext]

I had checked for updates before posting but it seems an update has dropped since then
After running update my Apache still says 2.4.49

Server Version: Apache/2.4.49 (cPanel) OpenSSL/1.1.1g mod_bwlimited/1.4
Server MPM: prefork
Server Built: Sep 29 2021 17:23:18

 

[cPRex]

Did you run "yum update" on that system?

 

[itnext]

No. The post says the system will update automatically.
I did run System Update which based on its output does the same thing as yum update which I have run just now...

yum update
Last metadata expiration check: 2:25:52 ago on Thu 07 Oct 2021 05:36:25 AM AEDT.
Dependencies resolved.
Nothing to do.
Complete!

Still on 2.4.49

 

[cPRex]

The system will update automatically as part of the overnight updates, although a manual "yum update" will work just the same.

If you're not seeing the package as part of an update to the system, there's likely some other reason that isn't getting downloaded. You're welcome to submit a ticket to our team so we can check the server, as this is one of those things that should just work.