Skip to main content

Resolving Apache Vulnerability False Positives

Nx Support
Updated

Periodically, users may receive alerts from vulnerability scanners flagging insecure Apache versions in the VMS. These alerts are typically false positives, as the VMS does not use Apache. However, the Apache name appears in the HTTP headers of the VMS WebAdmin application due to legacy third-party integrations designed to ensure compatibility with known web servers, firewalls, and antivirus systems, particularly older ones.

Verifying Apache Installation

To confirm whether Apache is installed on your system:

  • On Linux: Run the command apache2 -v in the terminal. If Apache is not installed, you will see a "command not recognized" error or a similar message.
  • On Windows: Check for an Apache installation directory, typically located in C:\Program Files or C:\Program Files (x86). If no such directory exists, Apache is not installed.

If Apache is not installed, you can safely disregard the scanner's Apache-related alerts.

Resolving the False Positive by Removing Apache Headers

If there are no legacy integrations dependent on the current configuration, you can modify the VMS WebAdmin settings to prevent the Apache headers from appearing. Follow these steps:

  1. Access the WebAdmin Settings:
    • Navigate to the WebAdmin interface, advanced settings:
      https://<server>:7001/#/settings/advanced
  2. Modify the serverHeader Setting:
    • Scroll to the serverHeader field.

    • By default, the value will look like this:
      $vmsName/$vmsVersion ($company) $compatibility
    • Update the value to:
      $vmsName/$vmsVersion
       
  3. Restart the Media Server Application:
    • After making the change, restart the media server application to apply the updated configuration.
       
  4. Validate the Change:
    • With the default configuration, the serverHeader might appear as:
      Server: Nx Meta/6.0.0.39503 (Network Optix) Apache/2.4.16 (Unix)

    • After updating the serverHeader, it should display:
      Server: Nx Meta/6.0.0.39503


       
  5. Re-run the Vulnerability Scanner:
    • After making the change and restarting the service, run the scanner again. The false positive should no longer appear.

These steps address the false positive related to Apache in the VMS. If legacy integrations are required, consider the implications of modifying the serverHeader before proceeding. 

Related to

Related articles

Comments

0 comments

Article is closed for comments.