Apache 2.4.50 version release for Bitnami Wordpress Stack

Keywords: WordPress - AWS - Technical issue - Upgrade

bnsupport ID: dbddcb97-7513-60d5-099c-4bfb7760bdc6

bndiagnostic output:

? Apache: Found possible issues
? Connectivity: Found possible issues
? Resources: Found possible issues
https://docs.bitnami.com/general/apps/wordpress/troubleshooting/debug-errors-apache/
https://docs.bitnami.com/bch/apps/moodle/troubleshooting/deny-connections-bots-apache/
https://docs.bitnami.com/general/faq/administration/use-firewall/

bndiagnostic failure reason: The suggested guides are not related with my issue

Description:
Hi, we are currently using Bitnami Wordpress stack. As per the bitnami changelog (https://bitnami.com/stack/wordpress/installer/changelog.txt), the last release which contained Apache upgrade to 2.4.48 was on JULY 2021. Can you let us know when the Bitnami Wordpress stack which contains Apache 2.4.50 will be released? The reason we are asking is there has been vulnerabilities found in Apache 2.4.48 (https://www.cybersecurity-help.cz/vdb/SB2021091706)

Also, will a new stack with PHP 7.4.24 be released soon?

Hello @rukshan.sugathapala,

We have already released a new version of WP (5.8.1-16) on AWS with Apache 2.4.50 and PHP 7.4.24.

Regards

Hi, thanks for your response.

However, as per https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013 released on 07/10/2021, Apache 2.4.51 has been released due to critical vulnerabilities in 2.4.50 and 2.4.49.

Can you let me know when Apache 2.4.51 will be released for BItnami Wordpress stack ?

Hi,
as @rukshan.sugathapala pointed out, the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. It is highly recommended to update to 2.4.51.
Will there be an update to the Bitnami WordPress Stack soon?

Thank you for your help!

Hello,

Yes, the team is working on releasing it ASAP. We expect to have most of the releases ready today.

Regards

1 Like

Thank you @davidg

Not sure if this was the same within the older versions, but the new stack has test-cgi enabled by default, which means it is echoing the server environment variables and therefor leaks information. This should not be used for a production environment.

Hi @christoph1,

Could you provide us with more information? Could you please let us know where did you find it?

Regards

Hi @davidg,

The web server makes a test script available that reveals details of the web server’s configuration to anyone who can connect to the machine. It even states that this script should not be used in production.

There is a publicly known exploit for this vulnerability:
Apache 0.8.x/1.0.x / NCSA HTTPd 1.x - ‘test-cgi’ Directory Listing https://www.exploit-db.com/exploits/20435

I have deleted the file “test-cgi” in the directory “cgi-bin” to remove the vulnerability.

You can try following to echo the result of the test script:

Port 443: https://www.example.com/cgi-bin/test-cgi
Port 80: http://www.example.com/cgi-bin/test-cgi

Hello @christoph1,

Thanks a lot for the info. I have created a task for the team to remove it.

Regards