Trying to update the httpd version on AWS Linux - Yum says no update?

Question

Im trying to upgrade the httpd version on my amazon EC2 instance because our security team asked me to do so.

Can anyone advise the easiest way to upgrade the httpd module?

I was told I needed to upgrade from this 2.4.48 to 2.4.56

[root@ip-172-X ec2-user]# httpd -v
Server version: Apache/2.4.48 ()
Server built:   Jun 25 2021 18:53:37
[root@ip-172-X ec2-user]# sudo yum update httpd
Loaded plugins: extras_suggestions, langpacks, update-motd
No packages marked for update
[root@ip-172-X ec2-user]#

But yum says no updates available?

If I try to do yum install httpd it goes back to 2.3.34?

Answer 1

There is no package with newer version in Amazon repo. You should wait for this. And ask your security team to check if the particular security issue exist in Amazon version of httpd.
You can try to clear the yum cache and check if you will find the package:

yum clean all
yum search httpd

Answer 2

The first step is to ask two questions:

1. Why is an upgrade required?

   The fairly typical response will come from your enterprise security team and often boils down to:

   Our tooling detected that your system is vulnerable to one or more known vulnerabilities, including CVE numbers X, Y and Z and the vendor recommendation(s) to address that vulnerability states:

   Users are recommended to upgrade to version [latest-version], which fixes the issue.
   _{As for example seen in the recommendations on https://httpd.apache.org/security/vulnerabilities_24.html}

   That is often not the best remediation.

2. Followed How did you determine that my system is vulnerable?
   The response from the security team is rarely:

   We performed a penetration test and were successful in exploiting CVE-2023-X, CVE 2023-Y etc.

   And much more commonly:

   Your vulnerable application advertises a version number X.Y.Z and our tooling did a version lookup in a database like: cvedetails.com -> Apache -> HTTPD and found one or more vulnerabilities for that version.

   This second method is often a cause of false positives.

---

If you're actually vulnerable and how to address that depends on which Linux distribution and what version your system is on and how the vulnerable software was installed:

• When your vulnerable software was compiled from source by yourself, then typically your system will be running exactly the version that it advertises and your system will be vulnerable.
  You will need to download the latest upstream release, recompile, test and deploy. Also consider subscribing to the upstream mailing list so you'll be notified about new releases and can respond much more timely in the future.

  Determine which packages are installed with the package manager or not use for example apt list --installed resp. yum list installed, or use something like rpm -qf /usr/sbin/httpd or dpkg-query -S /usr/bin/adduser to find if the vulnerable programme is owned by a package or not.

• When you're on a Linux distribution that backports security updates, there is no no direct correlation between the reported version number and patch status. This frequently causes false positives.

  This explanation is from Red Hat but the effects with regards the security updates in Ubuntu (LTS) releases, (Open) SUSE and Amazon Linux (not for all packages though) are the roughly the same. Applying security updates will address vulnerabilities without updating the software version.

  Assuming that the software is a standard component of your enterprise Linux distribution, that the distribution is still supported and (security) updates have not been disabled, then applying normal updates is sufficient to keep your system secure. The distribution will have assessed each new CVE, determined if the version they ship is actually effected, if necessary backport the upstream versions fix and will (eventually) have released a security update.

  Determine your Linux distribution / release with for example hostnamectl and/or lsb_release -a or the checking /etc/*-release files.

  Confirm (security) update repo's are enabled with for example: yum repolist or cat /etc/apt/sources.list /etc/apt/sources.list.d/*

  To state the obvious: when a system is no longer supported you won't receive any security updates fro the vendor anymore.

  You may need to check the distribution specific security database (for example https://access.redhat.com/security/security-updates/cve https://ubuntu.com/security/cves https://www.suse.com/security/cve/ https://alas.aws.amazon.com/ ) if a CVE effects your system and if an update was released. (There are better distribution specific (command line) tools to perform such searches / make such reports. )

  Determine the patch version (release) of the (rpm/deb) package (rpm -qi httpd or apt show apache2) rather than the version number the software reports (/sbin/httpd -v) to see if your system has been updated correctly or still needs updating.

  Use for example rpm -q --changelog httpd or apt-get changelog apache2 to report which CVE's have been fixed in particular installed package when you need to convince the security department that your system is not vulnerable.