Apache security issue


(charles b) #1

Our security department has advised that Apache on the device below has vulnerabilities.

Is the easiest way to address simply to upgrade the ios ? Or can appache be upgraded or patched ?

Which of the below would i upgrade ?

#sh ver
Cisco IOS XE Software, Version 03.16.04b.S - Extended Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S4b, RELEASE SOFTWARE (fc1)

(Lazaros Agapides) #2

Hello Charles

Cisco has indeed issued a warning about Apache Struts2 and some products of Cisco that are affected by this. You can find information about this advisory here.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2

However, I have been unable to find any specific apache bug pertaining to the above version of IOS. Now this IOS is running on an ASR router platform, which doesn’t run Apache itself. Indeed I have looked into all bugs of this IOS version using Cisco’s bug search tool, and none indicate anything with Apache. In the link above, you can see the Cisco products that are affected by the security issue with Apache.

Having said that, if there are any security vulnerabilities in an IOS version, Apache notwithstanding, the best way to deal with them is indeed an upgrade to the latest stable version.

I suggest you further investigate the security issue your security department is referring to, to verify what systems need some intervention.

I hope this has been helpful!

Laz