5 Replies Latest reply on Mar 2, 2017 2:36 PM by PointInSpace

    Apache 4.2.18 has multiple vulnerabilities

    callmedave

      FMS 15.0.3.308 provides Apache 4.2.18, which has multiple vulnerabilities that have been fixed in 4.2.25:

       

      https://httpd.apache.org/security/vulnerabilities_24.html

       

      Our network security team has flagged our server for running an out of date version of Apache. I talked to FileMaker support and they have no instructions on how to manually update the Apache that's provided by FMS.

       

      Apache 4.2.25 has been out for over two months; can anyone tell me how long it's historically taken FileMaker Inc. to update the open source components of their server to more secure versions?

       

      Thanks,

       

      Dave

        • 1. Re: Apache 4.2.18 has multiple vulnerabilities
          nicolai

          I might be wrong, but as far as I remember FileMaker server does not install apache, but uses the one which comes with OS.

           

          try to update OS, if it does not help, try manually update Apache.

          • 2. Re: Apache 4.2.18 has multiple vulnerabilities
            james_quiggins

            Hi Dave,

             

                 Could you check the version of Apache located @ /usr/sbin/httpd to see if it's 2.2? This is the OS httpd and I suspect it is out of date.  You might be able to output the version by typing 'httpd -v' in terminal.

             

            FWIW, I'm running FMS15 on 10.12.3 with the following output:

            sh-3.2# httpd -v

            Server version: Apache/2.4.23 (Unix)

            Server built:   Aug  8 2016 18:10:45

             

            If you're running MacOS 10.11, I believe revision 11.4 updates to apache 2.4

             

            Hope that helps,

            James Quiggins

            • 3. Re: Apache 4.2.18 has multiple vulnerabilities
              callmedave

              httpd -v will indeed return the version of Apache provided by macOS by /usr/sbin/httpd . On this server it's 4.2.23, but a Nessus scan of the machine returns 4.2.18 on port 443 .

               

              My conversation with FileMaker tech support confirmed my online research that the FMS installation provides the instance of Apache that the server uses. My 1st tier support person spoke with FM engineers who confirmed that 4.2.18 is indeed what's used in FMS 15.0.3.308, confirming the report of our network security team (in whom I have the utmost confidence).

              • 4. Re: Apache 4.2.18 has multiple vulnerabilities
                james_quiggins

                Hi Dave,

                    

                Please check the path of the httpd process FileMaker Sever is using:

                          1. Open activity monitor and locate httpd launched by FileMaker Server. You'll see it running under the fmserver or user which you installed FileMaker Server under.

                          2. Sample that process.

                          3. Locate the path of httpd.

                 

                Here's my result:

                     Analysis of sampling httpd (pid 419) every 1 millisecond

                     Process:         httpd [419]

                     Path:            /usr/sbin/httpd

                 

                FileMaker Server uses Library/FileMaker Server/HTTPServer/bin/httpctl to start httpd. Here's the actual code:

                       start|stop|restart|graceful)

                                echo /usr/sbin/httpd -k $ARGV -D FILEMAKER -f "$HTTP_ROOT/conf/$HTTPD_CONF"

                                /usr/sbin/httpd -k $ARGV -D FILEMAKER -f "$HTTP_ROOT/conf/$HTTPD_CONF"

                                ERROR=$?

                As you can see it's using /usr/sbin/httpd. Please verify if your installation is using this location.

                 

                Lastly, do you mean 2.2.18 or 4.2.18? I can't seem to find any version history of Apache for 4.2.18.

                 

                Thanks,

                James Quiggins

                • 5. Re: Apache 4.2.18 has multiple vulnerabilities
                  PointInSpace

                  FileMaker tech support is wrong.  FMS uses the Apache binary that is included with OS X.

                   

                  From /Library/FileMaker Server/HTTPServer/bin/httpdctl:

                   

                       /usr/sbin/httpd -k $ARGV -D FILEMAKER -f "$HTTP_ROOT/conf/$HTTPD_CONF"

                   

                  Update OS X and you update the Apache version that both OS X *and* FileMaker Server use.

                   

                  - John

                  3 of 3 people found this helpful