Apache vulnerability in 2.4.49

Jim M

Member
PartnerNOC
Oct 20, 2015
5
1
53
Phoenix
cPanel Access Level
DataCenter Provider
There are reports today of a zero-day vulnerability in Apache 2.4.49, which seems to be the standard version in use on cPanel servers.


There is a new version released which patches it, 2.4.50, but running a yum update on servers does not update. Any idea when this will be incorporated by cPanel?
 

h4f

Well-Known Member
Jun 5, 2007
67
1
156
Are you going to issue an Apache 2.4.50 update for WHM v86.0.40 ?
 

rscalover

Well-Known Member
Dec 16, 2010
100
11
68
cPanel Access Level
Root Administrator
I get tons of such requests but the good news is imunify360 is blocking them also lots of "wannabe hackers" who are simply to stupid :)
 

h4f

Well-Known Member
Jun 5, 2007
67
1
156
@cPRex You wrote " We're going to be releasing an update tomorrow that will take care of this, and if your server receives automatic updates there is nothing else you need to do on your end. "

I don't see new Apache being pushed on 86.0.40.
 

h4f

Well-Known Member
Jun 5, 2007
67
1
156
You won't ever see an Apache update tied to a specific version of cPanel. You can see yearly changelogs for the service here:


and you'll see each one has this note: "EasyApache 4 does not use versioning and organizes changes by date only."
So it suggests that you need to recompile on each server Apache yourself and there will not be pushed an update.

On second thought:

Apache Update 2.4.49 was released on 2021-09-16 because of CVE-2021-40438 and that was pushed automatically to 86.0.40.

So the question is still the same, is 86.0.40 going to get 2.4.50 or must admin do everything manually themselves?

Did anyone else with latest current version of CPANEL get 2.4.50 or also not yet?
 
Last edited:

vacancy

Well-Known Member
Sep 20, 2012
480
169
93
Turkey
cPanel Access Level
Root Administrator


 

ciao70

Well-Known Member
Nov 3, 2006
103
18
168
So it suggests that you need to recompile on each server Apache yourself and there will not be pushed an update.

On second thought:

Apache Update 2.4.49 was released on 2021-09-16 because of CVE-2021-40438 and that was pushed automatically to 86.0.40.

So the question is still the same, is 86.0.40 going to get 2.4.50 or must admin do everything manually themselves?

Did anyone else with latest current version of CPANEL get 2.4.50 or also not yet?

Hello,

It was just released via Easy apache


If the automatic update of Easy apache is active it will also update on Cpanel 86.0.40 as already happened for 2.4.49 ;)
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
As @ciao70 posted, the update is now live as it was released earlier today. What I have been saying is there is no relationship to the cPanel version and to the EasyApache version on the system as Apache and PHP packages are managed directly through their respective RPMs in EasyApache 4. If this were the old EasyApache 3 system, yes, you would have needed to manually recompile Apache and PHP on the server to get the update. Now, with everything being RPM based, this happens automatically as long as your updated are set to automatic.

Does that help clear things up?
 

itnext

Member
Apr 19, 2021
12
2
3
sydney
cPanel Access Level
Root Administrator
I had checked for updates before posting but it seems an update has dropped since then :)
After running update my Apache still says 2.4.49

Server Version: Apache/2.4.49 (cPanel) OpenSSL/1.1.1g mod_bwlimited/1.4
Server MPM: prefork
Server Built: Sep 29 2021 17:23:18
 

itnext

Member
Apr 19, 2021
12
2
3
sydney
cPanel Access Level
Root Administrator
No. The post says the system will update automatically.
I did run System Update which based on its output does the same thing as yum update which I have run just now...

yum update
Last metadata expiration check: 2:25:52 ago on Thu 07 Oct 2021 05:36:25 AM AEDT.
Dependencies resolved.
Nothing to do.
Complete!


Still on 2.4.49
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
The system will update automatically as part of the overnight updates, although a manual "yum update" will work just the same.

If you're not seeing the package as part of an update to the system, there's likely some other reason that isn't getting downloaded. You're welcome to submit a ticket to our team so we can check the server, as this is one of those things that should just work.