OBAM vulnerable Apache version... (35 Views)
Reply
Advisor
Steve Hinchman
Posts: 41
Registered: ‎11-22-1999
Message 1 of 9 (35 Views)
Accepted Solution

OBAM vulnerable Apache version...

Hello,

Security is "dinging" us for the following vernable apache version:

# cd /usr/obam/server/bin
# ./httpd -version
Server version: Apache/1.3.9 (Unix)
Server built: Sep 20 2001 18:30:25

I just installed PHCO_35520 (SAM upgrade) and this did not upgrade apache.

Can someone tell me what I must do to upgrade this product. Or what the impact would be of deleting this httpd.

Thanks,
Steve Hinchman
Please use plain text.
Esteemed Contributor
Marco A.
Posts: 521
Registered: ‎09-28-2006
Message 2 of 9 (35 Views)

Re: OBAM vulnerable Apache version...

Hello Steve,

Have you tried the SWA tool, it could tell you exactly the patches and software that you need to avoid security vulnerabilities.

I hope this helps,

You can take the tool from hppt://software.hp.com/ search for SWA.

Rgds,

Marc'o
Just unplug and plug in again ....
Please use plain text.
Honored Contributor
Mel Burslan
Posts: 3,212
Registered: ‎08-26-1998
Message 3 of 9 (35 Views)

Re: OBAM vulnerable Apache version...

if your server is not using any kind of web access to any of the applications, you can safely turn off the httpd daemon by setting the variable APACHE_START=0 in /etc/rc.config.d/apacheconf file

hope this helps.

By the way, in case you want to update the apache web server, just go to

http://hpux.cs.utah.edu/

and search for apache for later versions.
________________________________
UNIX because I majored in cryptology...
Please use plain text.
Esteemed Contributor
Marco A.
Posts: 521
Registered: ‎09-28-2006
Message 4 of 9 (35 Views)

Re: OBAM vulnerable Apache version...

Yes, you can also install a newer version.

In addition..., the right link is...

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA

Best regards,

Marc'o
Just unplug and plug in again ....
Please use plain text.
Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 5 of 9 (35 Views)

Re: OBAM vulnerable Apache version...

Shalom Steve,

Get the latest release of apache 1.3.x from http://software.hp.com

HP has dropped support for this version of apache and you might be advised to update to the latest 2.0.x version from the site linked above. Search for hpws.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Please use plain text.
Advisor
Steve Hinchman
Posts: 41
Registered: ‎11-22-1999
Message 6 of 9 (35 Views)

Re: OBAM vulnerable Apache version...

These are DoD systems and we stay 6 months behind the latest patch bundles to maximize the testing period for new patches.

I need to leave apache enabled in /etc/rc.config.d because applications are using other installed versions of apache.

What would break if I simply removed httpd from /usr/obam/server/bin?

Regards,
Steve
Please use plain text.
Honored Contributor
Mel Burslan
Posts: 3,212
Registered: ‎08-26-1998
Message 7 of 9 (35 Views)

Re: OBAM vulnerable Apache version...

As far as I know obam is a user interface management abstraction layer. And the only application using it right out of the box is SAM. If you are not using sam over a web interface, more than likely it will not break anything but again since this is a general purpose application, for the lack of a better term, if some other app was written, dependent on it, you may experience difficulty later, should you choose to remove the binary. Instead, you can rename it to something else to save it and then, if something needs it and cries out for a missing executable, you can restore it with ease.

HTH
________________________________
UNIX because I majored in cryptology...
Please use plain text.
Advisor
Steve Hinchman
Posts: 41
Registered: ‎11-22-1999
Message 8 of 9 (35 Views)

Re: OBAM vulnerable Apache version...

I am going to rename the httpd exec and see if anything breaks. Thanks for all your responses.
Please use plain text.
Respected Contributor
Keith Buck
Posts: 233
Registered: ‎10-24-2000
Message 9 of 9 (35 Views)

Re: OBAM vulnerable Apache version...

Steve,

Security Bulletin HPSBUX01047 tells you to disable that version of Apache if installed. Here is the URL to that document:

https://www2.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00965446-1

Some background: There are two versions of OBAM, which is an internal library used for much of the TUI/GUI functionality you see in SAM, swinstall, etc. Obam4 is what you are used to seeing. Obam5 was not widely used, but is the one you are having the problem with (and the one that should be disabled per the above bulletin).

The only two applications that used Obam5 were Service Control Manager (now replaced by HPSIM, which does not use Obam) and an older version of PartitionManager (the new one also does not use Obam).

If you are not using either of these applications, you can safely remove Obam and the products that depend on it (swremove will warn you when you're about to do something dangerous due to corequisites...I just did this the other day and all it took was removing those apps). If you are using those applications, you can upgrade them and then remove Obam. Or, you can apply the alternate workaround listed in the bulletin to turn it off (it is disabled by default).

The standard Apache is still supported by HP and upgrades are still issued.

I'll second the recommendation to use SWA, as it will tell you what HP security bulletins recommend before you get "dinged" by security. It can automatically download all the recommended patches and put them in a depot (and supports alternate sneakernet approaches if you don't have Internet connectivity) and performs full product and manual action analysis as well.

https://www.hp.com/go/swa

Hope that helps.

-Keith
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation