Many Apache websites running old, vulnerable software

Many Apache websites running old, vulnerable software

Summary: According to Netcraft, which surveys publicly-accessible web servers, millions of websites still appear to be using vulnerable versions of Apache, including versions which are no longer supported.

SHARE:
TOPICS: Security
30

Very few Apache web servers are running the current, fully-patched version of the software, according to research by Netcraft. Some very popular sites are running very old, vulnerable and unsupported versions.

Netcraft is known most for their continuous surveys of publicly-accessible web servers on the Internet. Apache's share of such servers has been taking a nosedive over the last two years, according to the latest report on that survey, although it still dominates among active sites and the busiest sites, where Apache runs more than 50% of those surveyed.

The latest version of the Apache Stable Release is 2.4.7, released November 25, 2013. Very few sites are running this version. In fact, less than 1 percent of sites are reporting that they run any version in the 2.4 branch, despite Apache urging users to do so. In fact, Apache servers are overwhelmingly running the "Legacy Release," i.e. the 2.2 branch, the latest version of which is 2.2.26, released November 18, 2013.

Netcraft.most.popular.apache.versions

Even version 1.3.x, at roughly 6 million sites, is far more popular than the Stable Release. The most popular such site is Weather Underground, which runs Apache 1.3.42. Weather Underground has an Alexa ranking of 172 in the US and 615 worldwide, so it's a very popular site.

As Netcraft notes, over half of Apache web sites hide the version number, although further tests may indicate the version. By the same token, some servers with a vulnerable version number may not be vulnerable to some of that version's flaws; for example, Red Hat Linux provides a backporting feature by which fixes for later versions may be applied to an earlier version.

But, as best as we can tell, the 2.2.x branch is dominant. It is still distributed by many third parties, such as Red Hat. And many sites for which security is a prominent concern, such as OpenSSL, run old versions. OpenSSL.org runs Apache 2.2.22 on Ubuntu Linux.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

30 comments
Log in or register to join the discussion
  • not surprising

    People are lazy and businesses don't want to pay to ride the upgrade pony.
    greywolf7
    • Pay?

      “don't want to pay to ride the upgrade pony.”
      RickLively
      • what, you think time and effort are free?

        Not thinking to lively there Rick.
        greywolf7
        • Wow!

          It's a simply question as I don't read minds.

          Don't trash someone name because you are pissed off.
          RickLively
    • Ubuntu 12.04 came with Apache 2.2.22-ubuntu1.4

      So I'm still running 2.2.22. Very sad. I may have to wait for Ubuntu 14.04 to have Apache 2.4 as adding a PPA such as ppa:ptn107/apache might cause problems.
      Grayson Peddie
      • ppa:ptn107/apache

        I got that PPA from http://ubuntuforums.org/showthread.php?t=2011603 and some people have trouble getting Apache 2.4 to work in Ubuntu 12.04. I didn't read the rest of the thread for my first comment and it turns out that it can leave your system broken if you try to roll back to Apache 2.2.
        Grayson Peddie
        • RE: it turns out that it can leave your system broken

          Your Apache is simply missing some mods... easy to fix.
          mack.
          • I didn't upgrade my Apache server.

            So mine is still running smoothly right now.

            When I say "I got that PPA from http://ubuntuforums.org/showthread.php?t=2011603 and some people have..." I meant that I listed the PPA from a thread and I didn't add a PPA to my system, so I must have been unclear. Pardon me.
            Grayson Peddie
      • Grayson Peddie: "... still running [Apache] 2.2.22"

        At least you're aware of the fact that Apache is vulnerable. What have you done to restrict access (if possible), monitor for intrusions and/or containerize Apache (e.g., enable Ubuntu's default AppArmor profile for Apache)?

        P.S. Why not upgrade to Ubuntu 13.10, supported through July, 2014, for the short term and run a supported version of Apache until 14.04 is out for a couple of months?
        Rabid Howler Monkey
        • 13.10

          Zarafa (http://www.zarafa.com/, Community Edition) does not support 13.10 and I'm running in a VPS.

          If only I can compile Zarafa from source and figure out how to install it as I don't care about getting support from Zarafa. I'd be happy enough to run all the bleeding-edge packages and not be so stuck with 12.04 LTS (and who cares about LTS anyway since I'm the only one using my VPS?).
          Grayson Peddie
          • Virtualization for Apache, since you're 'locked' to 12.04?

            Install VirtualBox from Ubuntu's repos on your Ubuntu 12.04 LTS box, install Ubuntu 13.10 server edition and install Apache 2.4?

            Another option might be to jump to Debian Wheezy (note: am not dissing Ubuntu).
            Rabid Howler Monkey
          • VPS = Virtual Private Server.

            And how am I suppose to do that in a hosted VPS? Because there are incompatible versions of packages in which Zarafa require. Version dependencies which I'm not going to take my day or two to get my server back and running!
            Grayson Peddie
          • I'm using YourDomainGoesHere with OpenVZ VPS.

            It turns out the latest that I can install is Ubuntu 13.04, which is pretty much end of life.

            Oh well, I found that I can compile Apache web server, but I don't want to get into a situation that I can't get back to my old Apache as fast as possible. The only thing that is mission-critical is e-mail (web mail) and that's about it.

            http://devincharge.com/compiling-apache-2-4-ubuntu-12-04/
            Grayson Peddie
          • ServerTokens Prod, ServerSignature Off

            I've forgotten about it and looked through my /etc/apache2/apache2.conf.

            I also set expose_php to off in /etc/php5/apache2/php.ini.

            I wouldn't have posted my comments here if I remember what I've done to hide Apache and PHP.
            Grayson Peddie
          • Grayson Peddie: "what I've done to hide Apache and PHP"

            On the surface, this would appear to be security by obscurity. Am curious if these settings would repel a determined hacker wielding an exploit for upatched Apache vulns?

            P.S. Apache 2.4 is currently in Debian testing (Jessie) and there are no backports currently for earlier Debian versions. Thus, Debian Wheezy is not currently an option.
            Rabid Howler Monkey
          • Security through obscurity

            I can list thousands of websites where they can tell you how to hide your Apache and PHP version. Why don't you tell millions of websites about security through obscurity. Here, I'll list them:

            http://www.ducea.com/2006/06/16/apache-tips-tricks-hide-php-version-x-powered-by/

            http://techtalk.virendrachandak.com/how-to-hide-apache-information-with-servertokens-and-serversignature-directives/

            http://www.if-not-true-then-false.com/2009/howto-hide-and-modify-apache-server-information-serversignature-and-servertokens-and-hide-php-version-x-powered-by/

            http://stevepapa.com/hiding-apache-and-php-version-information-from-your-server-http-response-headers

            I can go on and on, but you'll get the idea.
            Grayson Peddie
      • In the same boat

        I look after about a dozen servers and they all run Ubuntu-12.04. They won't get upgraded until Ubuntu 14.04 rolls around.
        mheartwood
        • And what have you done to harden them?

          .
          Rabid Howler Monkey
          • And what is with you?

            Why ask such a question?
            Grayson Peddie
          • Grayson Peddie: "Why ask such a question?"

            It would appear that Canonical, Ltd. is a bit behind with its apache2 patching. As stated in the article, the legacy Apache httpd version is currently at 2.2.26 which was released on November 18, 2013. And, according to the Ubuntu changelog for precise apache2, apache2_2.2.22-1ubuntu1.4 was released on July 12, 2013.

            The following security fixes are from the 'CHANGES_2.2' file at http://httpd.apache.org/download.cgi. Security fixes with Apache 2.2.23:
            *) SECURITY: CVE-2012-0883 (cve.mitre.org) envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the current working directory to be searched for DSOs. [Stefan Fritsch]
            *) SECURITY: CVE-2012-2687 (cve.mitre.org) mod_negotiation: Escape filenames in variant list to prevent a possible XSS for a site where untrusted users can upload files to a location with MultiViews enabled. [Niels Heinen ]

            Security fixes with Apache 2.2.24:
            *) SECURITY: CVE-2012-3499 (cve.mitre.org) Various XSS flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. [Jim Jagielski, Stefan Fritsch, Niels Heinen ]
            *) SECURITY: CVE-2012-4558 (cve.mitre.org) XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
            Niels Heinen ]

            Security fixes with Apache 2.2.25:
            *) SECURITY: CVE-2013-1896 (cve.mitre.org) mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. [Ben Reser
            ]
            *) SECURITY: CVE-2013-1862 (cve.mitre.org) mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file. [Eric Covener, Jeff Trawick, Joe Orton]

            Changes with Apache 2.2.26:
            *) mod_ssl: Change default for SSLCompression to off, as compression causes security issues in most setups. (The so called "CRIME" attack). [Stefan Fritsch]
            Rabid Howler Monkey