Author |
|
raghu7548
Joined: 11 Oct 2024 Posts: 5 Location: Singapore
|
Posted: Fri 11 Oct '24 11:40 Post subject: Request for OpenSSL Update to Address Security Vulnerability |
|
|
Hi,
In vulnerability scans have picked up out-of-date OpenSSL files within an Apache install. The current version of Apache is 2.4.62 and the version of openssl inside it is 3.1.6.
Scans recommend updating openssl to 3.1.7 or later to resolve the specified vulnerability (Vulnerability Plugin ID : 201082).
Please let us know how to update openssl to 3.17 or later ? |
|
Back to top |
|
Otomatic
Joined: 01 Sep 2011 Posts: 213 Location: Paris, France, EU
|
Posted: Fri 11 Oct '24 11:53 Post subject: |
|
|
Hi,
It is an error in the changelog.
For Apache 2.4.62 dated 4 sep 24 openssl is 3.1.7 |
|
Back to top |
|
raghu7548
Joined: 11 Oct 2024 Posts: 5 Location: Singapore
|
Posted: Fri 11 Oct '24 12:03 Post subject: |
|
|
--Are you saying that Apache 2.4.62, dated September 4, 2024, includes OpenSSL version 3.1.7? |
|
Back to top |
|
admin Site Admin
Joined: 15 Oct 2005 Posts: 692
|
|
Back to top |
|
raghu7548
Joined: 11 Oct 2024 Posts: 5 Location: Singapore
|
Posted: Fri 11 Oct '24 16:11 Post subject: |
|
|
Hi,
I encountered an issue while attempting to run the OpenSSL version command. Unfortunately, it returned an “access denied” error.
C:\Apache24\bin>openssl version
Access is denied. |
|
Back to top |
|
admin Site Admin
Joined: 15 Oct 2005 Posts: 692
|
Posted: Fri 11 Oct '24 16:14 Post subject: |
|
|
Start Apache and in the error.log you see the OpenSSL version is loaded |
|
Back to top |
|
raghu7548
Joined: 11 Oct 2024 Posts: 5 Location: Singapore
|
Posted: Fri 11 Oct '24 16:32 Post subject: |
|
|
I've initiated the Apache service and searched for the error.log file, but it's not located in the expected C:\Softwares\httpd-2.4.62-240904-win64-VS17\Apache24\logs directory. |
|
Back to top |
|
admin Site Admin
Joined: 15 Oct 2005 Posts: 692
|
Posted: Fri 11 Oct '24 17:01 Post subject: |
|
|
Is Apache running ?
Where did you installed Apache ?
In c:\apache24 ? |
|
Back to top |
|
raghu7548
Joined: 11 Oct 2024 Posts: 5 Location: Singapore
|
Posted: Sat 12 Oct '24 0:53 Post subject: |
|
|
I located the error log file, but I couldn't find the OpenSSL version listed in it.
[Sat Oct 12 06:49:16.012412 2024] [mpm_winnt:notice] [pid 27320:tid 372] AH00455: Apache/2.4.62 (Win64) configured -- resuming normal operations
[Sat Oct 12 06:49:16.012412 2024] [mpm_winnt:notice] [pid 27320:tid 372] AH00456: Apache Lounge VS17 Server built: Sep 4 2024 10:31:52
[Sat Oct 12 06:49:16.012412 2024] [core:notice] [pid 27320:tid 372] AH00094: Command line: 'C:\\Apache24\\bin\\httpd.exe -d C:/Apache24'
[Sat Oct 12 06:49:16.044122 2024] [mpm_winnt:notice] [pid 27320:tid 372] AH00418: Parent: Created child process 25596
[Sat Oct 12 06:49:16.715944 2024] [mpm_winnt:notice] [pid 25596:tid 416] AH00354: Child: Starting 64 worker threads. |
|
Back to top |
|
admin Site Admin
Joined: 15 Oct 2005 Posts: 692
|
Posted: Sat 12 Oct '24 9:10 Post subject: |
|
|
OpenSSL is not enabled. |
|
Back to top |
|