Why don't people update their Apache HTTP servers?!!

[cheeztoshobo]

CVE-2022-31813, a vulnerability in the Apache HTTP servers, allows attackers to bypass any IP-based authentication implemented to prevent unauthorized access to servers or devices. This thus enables attackers to gain access to the servers, even if they attempt to do so from IP addresses that are supposed to be blocked.

 

I can't believe this CVE was found last year, but there are still over 9 million servers exposed to it.

 

People shouldn't complain when they get attacked and update their servers ASAP.

[Levent]

• Not everything is easily update-able.
• Manufacturers of devices that use open-source packages dont maintain shit.
• Users are unaware of the security issues and they dont care.

IT security hasnt trickled down into minds of plebs just yet, we need couple of decades longer.

[Kilrah]

 With regards to the specific vuln I doubt many of those implementations actually use IP-based filtering in the first place.

 

But yeah, people don't maintain things. 

[LAwLz]

There could be many reasons.

1) A lot of times, these components are part of a larger system that is shipped as a single thing. A single product can be made up of multiple components. I am sure a lot of people reading this is familiar with Discord. The program "Discord", is actually comprised of tens if not hundreds of "mini programs". When you install Discord, you also get programs like Electron, a framework based on Chromium (the browser used as the base for Google Chrome and many other browsers).

The version of Electron that's used in the latest version of Discord is 22.3.2.

The latest version of Electron that's released is version 25.1.1

 

If you install Discord today, you are installing software that's over 3 months old. 

Electron version 22.3.2 also contains its own set of components that are outdated. For example Electron version 22.3.2 is based on Chromium version 108.0.5359.215 , which is a version released in January. So whenever you run Discord, you are effectively running a 6 month old version of Chrome that can have a ton of unpatched vulnerabilities.

Pointing to someone running the latest version of Discord and saying "hey, you are running a 6-month out-of-date browser that should be updated" is easier said than done when the outdated component is part of a different component that is part of the end-user program. It's especially difficult if the developer (in this case Discord) doesn't have the update integrated into their product already, and integrating it yourself could cause all kinds of issues.

 

It's the same with the Apache web server. It is used in the backend of a lot of software, and you can't just update that piece without also updating other pieces, which might result in compatibility issues.

 

 

2) A lot of security issues have workarounds. In this particular case, the feature that's broken is the IP-based authentication feature. A lot of servers might have that feature turned off because they have other security measures in place. In that case, it doesn't matter that the feature doesn't work as intended. 

 

 

3) A large portion of those 9 million servers might not contain valuable information to begin with. I have a website that's just a static page with some text and some images on it. I don't use it for anything and I doubt anyone cares about it. I haven't updated it in a while but even if someone managed to hack it they couldn't really do any damage. 

 

 

4) A lot of people don't care or don't know about the risks. I hadn't heard about this particular vulnerability until today, and most people don't know 999 out of every 1000 vulnerabilities out there. It's easy to overlook, which is why I am almost always against people "hosting their own thing" because it's very complicated and requires a lot of effort to stay on top of not just the various versions, but also which features are vulnerable or not.

[Yoinkerman]

Why would I waste money paying someone to maintain infrastructure?  It hasn't broken yet

[starsmine]

Updating things you are dependent on has a nasty habit of breaking shit. Even when it should not. 

[Polderviking]

How did they/you determine these numbers of servers are still vulnerable?

 

If people just install whatever version of Apache exists in their long term support variant of whatever linux distro they use security fixes are backported into it without changing outside version info.

Could affect that number.

 

Also not everybody actually uses this mechanic.
And even if you do, usually when you want servers only available from specific sets of IP's you employ a firewall.

This will probably mostly be an issue for hosters that run a multitude of website that have their own individual access requirements. 
And they will probably have their patch management in order.

[Mark Kaine]

Never change a winning team... ~

 

 

On 6/15/2023 at 8:09 PM, Yoinkerman said:

Why would I waste money paying someone to maintain infrastructure?  It hasn't broken yet

Right on! 

Spoiler

/s