符合PCI的Apache版本

Question

我们正在使用当前版本的Apache2.4。6可在Centos 7回放。安装了百胜。

我们正在处理PCI的遵从性问题，报告说：

IP Address: x
Host: x
Path: 

THREAT REFERENCE

Summary: 
vulnerable Apache version: 2.4.6

Risk: High (3)
Port: 443/tcp
Protocol: tcp
Threat ID: web_server_apache_version

Details: Apache HTTP Server mod_proxy_fcgi Response Handling Vulnerability
11/21/14
CVE 2014-3583
Apache HTTP Server before 2.4.11 is prone to a vulnerability,
which can be exploited to cause a DoS (Denial of Service).
The vulnerability exists due to an overflow condition in mod_proxy_fcgi.
when handling responses from FastCGI servers. The vulnerability can be exploited by
sending a crafted response from a malicious FastCGI server, which could lead to a 
crash when reading past the end of a heap memory. 
Apache HTTP Server NULL Pointer Dereference Vulnerability
10/08/14
CVE 2014-3581
Apache HTTP Server 2.4.10 and earlier is prone to a vulnerability,
which can be exploited to cause a DoS (Denial of Service).
The vulnerability exists because the application contains flaw in
the cache_merge_headers_out() function which is 
triggered when handling an empty 'Content-Type' header value. 
Multiple Vulnerabilities Fixed in Apache HTTP Server 2.4.10
07/24/14
CVE 2014-0117
CVE 2014-0118
CVE 2014-0226
CVE 2014-0231
CVE 2014-3523
Apache HTTP Server before 2.4.10 is prone to multiple vulnerabilities,
which can be exploited to cause a DoS (Denial of Service).
The vulnerabilities exist because the application contains flaw in 
mod_proxy, mod_deflate, mod_status, and mod_cgid modules and
in the winnt_accept function of WinNT MPM. 
Note: the WinNT MPM denial of service vulnerability can only
be exploited when the default AcceptFilter is used.
Apache HTTP Server Two Denial of Service Vulnerabilities
03/19/14
CVE 2013-6438
CVE 2014-0098
Apache HTTP Server before 2.4.9 is prone to two vulnerabilities,
which can be exploited to cause a DoS (Denial of Service).
The first vulnerability exists due to an error in the mod_log_config module when logging 
with truncated cookies. The second vulnerability is due to a boundary error in the mod_dav 
module when removing leading spaces.
HTTP-Basic Authentication Bypass Vulnerability
08/14/09
Apache 2.2.2 and prior are prone to an authentication-bypass vulnerability 
because it fails to properly enforce access restrictions on certain requests to a site that requires authentication.
An attacker can exploit this issue to gain access to protected resources, 
which may allow the attacker to obtain sensitive information or launch further attacks.
Apache HTTP Server OS Fingerprinting Unspecified Security Vulnerability
11/03/08
Apache 2.2.9 and prior is prone an unspecified security vulnerability.

Information From Target:
Service: https
Received: Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.6.13

我们每周更新一次服务器"yum更新“。

但当我这么做时: rpm -q --changelog \ grep -我可以看到以下内容：

• 核心:修复块头解析缺陷(CVE-2015-3183)和ap_force_authn钩子(CVE-2015-3185)。
• 核心:通过分组请求修正绕过mod_headers规则的问题(CVE-2013-5704)
• mod_cache:修正空内容类型的空指针取消引用(CVE-2014-3581)
• mod_cgid:为CVE-2014-0231添加安全修复(#1120608)
• mod_proxy:为CVE-2014-0117添加安全修复(#1120608)
• mod_deflate:为CVE-2014-0118添加安全修复(#1120608)
• mod_status:为CVE-2014-0226添加安全修复(#1120608)
• mod_cache:为CVE-2013-4352添加安全修复(#1120608)
• mod_dav:为CVE-2013-6438添加安全修复(#1077907)
• mod_log_config:为CVE-2014-0098添加安全修复(#1077907)

如何应用安全扫描要求的修补程序？我找不到rpms来做这件事。

提前谢谢。

致以问候。

Answer 1

这是一个问题(或好处取决于你如何看待它！)使用包管理器。

一方面，它们通常是较旧版本的应用程序，因此容易受到漏洞(以及没有最新功能)，但另一方面，它们是稳定的。然而，很多供应商(包括Red和CENTOS )通常都会为这些版本提供必要的修复，但这对于漏洞扫描可能并不明显。

可以说，像您这样的报告有点懒，因为它们假设您没有完全基于版本号应用补丁，而很容易看到(或询问)您是否使用了包管理器，然后可以测试它是否应用了修补程序。再一次，这取决于扫描是如何完成的，以及它们如何确定您所使用的版本。如果他们能访问你的服务器，我会说他们已经证实了这一点。如果他们以任何其他方式这样做，比如基于您的HTTP标头返回，那么我会说它们不能验证您是否已经修补好了，所以它们是正确的(顺便说一句，如果是的话，您可能不应该在HTTP标头中返回特定的版本号！)

最后，你应该意识到，这份报告通常是一份可能出现的问题清单，你完全有权拿出你认为这些问题已经得到解决或缓解的证据--比如你在问题中提供的证据，以及你有一个固定的修补时间表……等。这里仍然存在风险(例如，修补程序之间出现的任何风险和/或如果您忘记修补很长时间)，而任何报告强调该风险是正确的，但它们通常会减少报告中警告的错误，从而将其突出显示为降低风险。