CVE-2021-33193 should be solved in LAMP stack

Type: Bitnami Support Tool

Description:
pen-test website scanning tool show this CVE should be solved in LAMP stack/aws , how we can update the Apache http server, and when its new version 1.2.49 (fixed version ) will be available?

Hi @baker.khamiseh

Thanks for using Bitnami LAMP!

It should be fixed already in the lastest published version of Bitnami LAMP stack. I have tried launching a new instance in AWS (7.4.24-5) and you can see that Apache was updated:

$ sudo /opt/bitnami/apache/bin/apachectl -V
Server version: Apache/2.4.49 (Unix)
Server built:   Sep 16 2021 07:54:51
Server's Module Magic Number: 20120211:116
Server loaded:  APR 1.7.0, APR-UTIL 1.6.1
Compiled using: APR 1.7.0, APR-UTIL 1.6.1
Architecture:   64-bit
...

In any case, be aware that CVE-2021-33193 does only affect Apache servers using HTTP/2, which is disabled by default on Bitnami stacks :slightly_smiling_face:

Best regards,
Jose Antonio Carmona


Was my answer helpful? Click on :heart:

Hello Jcarmona;
but the version on AWS Lightsail is 7.4.22-0 , so when you will update it ?! the VA tool still shows apache (http_server) server version is 2.4.48 , and its CVSS = 7.5= high risk
#sudo /opt/bitnami/apache/bin/apachectl -V
Server version: Apache/2.4.48 (Unix)
Server built: Jun 1 2021 21:30:10
Server’s Module Magic Number: 20120211:105
Server loaded: APR 1.7.0, APR-UTIL 1.6.1
Compiled using: APR 1.7.0, APR-UTIL 1.6.1
Architecture: 64-bit

but the version on AWS Lightsail is 7.4.22-0

We have already released the new version and sent it to the different Marketplaces. Furthermore, it is already available in most of them as you can see from my previous answer. It will be a matter of time for AWS LightSail to update the published stack, but there’s is nothing more on our side that we can do as this is an internal process each Marketplace follows.

and its CVSS = 7.5= high risk

Although the CVSS is indeed 7.5, it seems the issue does rely on the use of HTTP/2 in order to affect Apache. Bitnami stacks ship this module, but it is disabled by default:

https://docs.bitnami.com/general/apps/redmine/configuration/enable-modules/#mod_http2

Best regards,
Jose Antonio Carmona


Was my answer helpful? Click on :heart:

Question and really because I haven’t used Bitnami much.
Can you upgrade only apache http or does it really require the whole setup of a new server, loaded with new stack, and then migrate the data?

Thanks,
Dave

Hi @yoda17

The recommended procedure is to launch a fresh new server. That guarantees that other components (and not only apache) are also updated.

Additionally, just mention that we have guides that cover the migration process, should you find them handy :slightly_smiling_face:

Best regards,
Jose Antonio Carmona


Was my answer helpful? Click on :heart: