Updating Apache, PHP, and OpenSSL to fix vulnerabilities

We recently started using InsightVM to scan our servers for vulnerabilities and unfortunately our Libre server it at the top of the list. Most of the vulnerabilities have to do with Apache, PHP and OpenSSL. I will post the ./validate output as well as the list of vulnerabilities being reported below. Has anyone had any luck updating these three components independent of what Libre includes for them in the standard daily updates? It looks like (ideally) InsightVM would like us to be on the latest versions of Apache(2.4.41), PHP(7.3.8) and OpenSSL(1.1.1d), but I’d be curious what the latest version of each is compatible with Libre. Thanks for your help!

atlibrenms01 librenms]$ ./validate.php
Component Version
LibreNMS 1.55-45-gee2a847
DB Schema 2019_09_05_153524_create_notifications_attribs_index (141)
PHP 7.2.11
MySQL 5.5.56-MariaDB
RRDTool 1.4.8

[OK] Composer Version: 1.9.0
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct
[WARN] Some devices have not been polled in the last 5 minutes. You may have performance issues.
Check your poll log and see: http://docs.librenms.org/Support/Performance/
and 116 more…
[FAIL] Some devices have not completed their polling run in 5 minutes, this will create gaps in data.
Check your poll log and see: http://docs.librenms.org/Support/Performance/

and 37 more…
[FAIL] Discovery has not completed in the last 24 hours.
Check the cron job to make sure it is running and using discovery-wrapper.py
[WARN] Your install is over 24 hours out of date, last update: Thu, 26 Sep 2019 02:51:07 +0000
Make sure your daily.sh cron is running and run ./daily.sh by hand to see if there are any errors.

InsightVM reports:

Upgrade to the latest version of Apache HTTPD
Rollup patch remediation steps
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.4.41.tar.gz

The latest version of Apache HTTPD is 2.4.41.

Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

Resolves 33 vulnerabilities
Apache HTTPD: bypass with a trailing newline in the file name (CVE-2017-15715)
Apache HTTPD: Apache HTTP Request Parsing Whitespace Defects (CVE-2016-8743)
Apache HTTPD: Apache httpd URL normalization inconsistincy (CVE-2019-0220)
Apache HTTPD: DoS vulnerability in mod_auth_digest (CVE-2016-2161)
Apache HTTPD: HTTP Trailers processing bypass (CVE-2013-5704)
Apache HTTPD: HTTP request smuggling attack against chunked request parser (CVE-2015-3183)
Apache HTTPD: HTTP_PROXY environment variable “httpoxy” mitigation (CVE-2016-5387)
Apache HTTPD: Limited cross-site scripting in mod_proxy error page (CVE-2019-10092)
Apache HTTPD: Out of bound write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710)
Apache HTTPD: Padding Oracle in Apache mod_session_crypto (CVE-2016-0736)
Apache HTTPD: Possible out of bound access after failure in reading the HTTP request (CVE-2018-1301)
Apache HTTPD: Possible out of bound read in mod_cache_socache (CVE-2018-1303)
Apache HTTPD: Tampering of mod_session data for CGI applications (CVE-2018-1283)
Apache HTTPD: Uninitialized memory reflection in mod_auth_digest (CVE-2017-9788)
Apache HTTPD: Use-after-free when using with an unrecognized method in .htaccess (“OptionsBleed”) (CVE-2017-9798)
Apache HTTPD: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)
Apache HTTPD: ap_get_basic_auth_pw() Authentication Bypass (CVE-2017-3167)
Apache HTTPD: ap_some_auth_required API unusable (CVE-2015-3185)
Apache HTTPD: mod_auth_digest access control bypass (CVE-2019-0217)
Apache HTTPD: mod_cache crash (CVE-2013-4352)
Apache HTTPD: mod_cache crash with empty Content-Type header (CVE-2014-3581)
Apache HTTPD: mod_cgid denial of service (CVE-2014-0231)
Apache HTTPD: mod_dav crash (CVE-2013-6438)
Apache HTTPD: mod_deflate denial of service (CVE-2014-0118)
Apache HTTPD: mod_log_config crash (CVE-2014-0098)
and 8 additional vulnerabilities …

Upgrade to the latest version of OpenSSL
Rollup patch remediation steps
Download and apply the upgrade from: http://ftp.openssl.org/source/openssl-1.1.1d.tar.gz

The latest version of OpenSSL is 1.1.1d.

Resolves 13 vulnerabilities
OpenSSL 0-byte record padding oracle (CVE-2019-1559)
OpenSSL Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
OpenSSL Client DoS due to large DH parameter (CVE-2018-0732)
OpenSSL Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739)
OpenSSL ECDSA remote timing attack (CVE-2019-1547)
OpenSSL Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
OpenSSL Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
OpenSSL Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)
OpenSSL Read/write after SSL object in error state (CVE-2017-3737)
OpenSSL Timing vulnerability in DSA signature generation (CVE-2018-0734)
OpenSSL Windows builds with insecure path defaults (CVE-2019-1552)
OpenSSL bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
OpenSSL rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)

Upgrade to the latest version of PHP
Rollup patch remediation steps
Download and apply the upgrade from: http://www.php.net/downloads.php

The latest version of PHP is 7.3.8

Resolves 20 vulnerabilities
PHP Vulnerability: CVE-2018-17082
PHP Vulnerability: CVE-2018-19935
PHP Vulnerability: CVE-2018-20783
PHP Vulnerability: CVE-2019-11036
PHP Vulnerability: CVE-2019-11038
PHP Vulnerability: CVE-2019-11039
PHP Vulnerability: CVE-2019-11040
PHP Vulnerability: CVE-2019-11041
PHP Vulnerability: CVE-2019-11042
PHP Vulnerability: CVE-2019-6977
PHP Vulnerability: CVE-2019-9020
PHP Vulnerability: CVE-2019-9021
PHP Vulnerability: CVE-2019-9022
PHP Vulnerability: CVE-2019-9023
PHP Vulnerability: CVE-2019-9024
PHP Vulnerability: CVE-2019-9637
PHP Vulnerability: CVE-2019-9638
PHP Vulnerability: CVE-2019-9639
PHP Vulnerability: CVE-2019-9640
PHP Vulnerability: CVE-2019-9641

All compatible and recommended.

Thanks for the reply. Do you have any tips on updating these without crashing the web front end? I’m somewhat new to RHEL and when I attempted updating PHP to 7.3, I could no longer pull up the libre web page. I rolled back using a snapshot I created ahead of time.

Probably just a PHP conflict in the OS, did you remove the old PHP? Googling may help you. I use PHP 7.3 on CentOS 7 now.