Apache High Risk Vulnerabilities

Keywords: WordPress - Microsoft Azure - How to - Other

Description:
I’m now using the newest Bitnami WordPress instance in Azure (WordPress version 5.8 and with php version 7.4.22). However our CISA scan assessment is showing two high vulnerabilities linked to the older versions of Apache. See: (CVE-2021-40438) and (CVE-2021-39275) and CVE-2021-34798)

Hi @Private,

The latest version of the Bitnami WordPress solution available in the Azure Marketplace includes Apache 2.4.49 which fixes the security issues you mentioned.

https://azuremarketplace.microsoft.com/en-us/marketplace/apps/bitnami.wordpress?tab=PlansAndPrice

You can launch a new instance in the Azure cloud and migrate the data to that new instance by following this guide

https://docs.bitnami.com/azure/how-to/migrate-wordpress/

Happy to help!


Was my answer helpful? Click on :heart:

Apache 2.4.49 has the issues:

See: https://httpd.apache.org/security/vulnerabilities_24.html

I just did a migration 3 weeks ago to resolve other vulnerabilities in the earlier PHP version. We can’t keep on doing this. You need to provide a means to upgrade and/or patch without having to move the site to another new instance. These moves are heavily entwined in potential failure and require much coordination

You need to update the WAMP installers for PHP 7.4.24, which contain Apache 2.4.49.

It now advised to move to Apache HTTP Server patch (2.4.50)

MS-ISAC ADVISORY NUMBER:

2021-127

DATE(S) ISSUED:

10/05/2021

TECHNICAL SUMMARY:

A vulnerability has been discovered in Apache HTTP Server, which could allow for a path traversal attack. The vulnerability was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by the “require all denied” access control parameter, disabled be default, these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. Path traversal attacks involve sending requests to access backend or sensitive server directories that should be out of reach. With this vulnerability, the filters are bypassed by using encoded characters (ASCII) for the URLs. Successful exploitation allows threat actors to map URLs to files outside the expected document root by launching a path traversal attack and would give a remote attacker access to arbitrary files outside of the document root on the vulnerable web server. Additionally, exploits of this flaw may lead to the leaking of the source of interpreted files such as CGI scripts.

RECOMMENDATIONS:
We recommend the following actions be taken:
• Apply the latest Apache HTTP Server patch (2.4.50) for your platform

How do I get to 2.5?

The best way to upgrade the Bitnami WAMP stack is to move files outside the Bitnami installation path. We use Drupal under Bitnami. All custom conf files, database files, and Drupal site files are stored in a separate directory outside the bitnami installation ditrrectory. When we upgrade Bitnami we replace the installation httpd.conf file with a httpd.conf file that references the custom conf files, database files, and Drupal site outside the installation directory. Bitnami WAMP stack upgrades are easy for us.

I don’t think the WAMP solution is an option for us. We are using the prepackaged version made available in Azure.

See: https://azuremarketplace.microsoft.com/en-us/marketplace/apps/bitnami.wordpress?tab=PlansAndPrice

From what I understand, the only way to upgrade or patch is to move to a new instance.

Hi @Private,

If you want to keep using the Bitnami WordPress VM in Azure, you will need to perform the migration process every time you want to update any of the infrastructure components of the stack. There is not any other way to achieve that. Sorry for the inconvenience.

However, you can start using the Bitnami WordPress container in an Azure’s VM

https://github.com/bitnami/bitnami-docker-wordpress#upgrade-this-image

Let me know if you have any questions

Hi,

This is more than an inconvenience, it’s a huge security risk. For as noted earlier in your communcations, the current Bitnami WordPress VM installation option in Azure contains “Apache HTTP Server 2.4.49”, the very source of the exposure for the vulnerability. There is no current means to move to the latest Apache HTTP Server patch (2.4.50), even if a customer desired to migrate.

Can you provide a date when the Bitnami WordPress VM installation option in Azure will contain “Apache HTTP Server 2.4.50” in the infrastructure components of the stack so that we are not immediately rolling out a vulnerability with no means to mediate the issue?

Hi @Private,

We built, tested and released Bitnami WordPress with Apache 2.4.50 and 2.4.51 (because Apache released another version patching the previous one) as soon as Apache got released. However, the cloud provider takes some time to publish the solution in the marketplace.

If you want to start using Bitnami WordPress with Apache 2.4.51, we suggest you use the Bitnami Launchpad for Azure where you can launch the latest version of the Bitnami solution without needing to wait for the cloud provider to publish it.

Happy to help!


Was my answer helpful? Click on :heart:

Hi,

I think I would rather leave it self enclosed rather than adding another security risk by creating the direct linkage between Bitnami and Azure. Again, I hoped to find a way to update/patch without moving to another instance. These migration steps are not cost effective and will only force us to look at other alternatives. ~ Thanks

Hi @Private,

I’m sorry to hear that but as I explained above, you can only upgrade the base stack by migrating the data to a new instance. There is not any other supported method to upgrade the base components of the instance.

Thanks