Periodically, users may receive alerts from vulnerability scanners flagging insecure Apache versions in the VMS. These alerts are typically false positives, as the VMS does not use Apache. However, the Apache name appears in the HTTP headers of the VMS WebAdmin application due to legacy third-party integrations designed to ensure compatibility with known web servers, firewalls, and antivirus systems, particularly older ones.
Verifying Apache Installation
To confirm whether Apache is installed on your system:
- On Linux: Run the command
apache2 -v
in the terminal. If Apache is not installed, you will see a "command not recognized" error or a similar message. - On Windows: Check for an Apache installation directory, typically located in
C:\Program Files
orC:\Program Files (x86)
. If no such directory exists, Apache is not installed.
If Apache is not installed, you can safely disregard the scanner's Apache-related alerts.
Resolving the False Positive by Removing Apache Headers
If there are no legacy integrations dependent on the current configuration, you can modify the VMS WebAdmin settings to prevent the Apache headers from appearing. Follow these steps:
- Access the WebAdmin Settings:
- Navigate to the WebAdmin interface, advanced settings:
https://<server>:7001/#/settings/advanced
- Navigate to the WebAdmin interface, advanced settings:
- Modify the
serverHeader
Setting:- Scroll to the
serverHeader
field. - By default, the value will look like this:
$vmsName/$vmsVersion ($company) $compatibility
- Update the value to:
$vmsName/$vmsVersion
- Scroll to the
- Restart the Media Server Application:
- After making the change, restart the media server application to apply the updated configuration.
- After making the change, restart the media server application to apply the updated configuration.
- Validate the Change:
- With the default configuration, the
serverHeader
might appear as:Server: Nx Meta/6.0.0.39503 (Network Optix) Apache/2.4.16 (Unix)
- After updating the
serverHeader
, it should display:Server: Nx Meta/6.0.0.39503
- With the default configuration, the
- Re-run the Vulnerability Scanner:
- After making the change and restarting the service, run the scanner again. The false positive should no longer appear.
These steps address the false positive related to Apache in the VMS. If legacy integrations are required, consider the implications of modifying the serverHeader
before proceeding.
Comments
0 comments
Article is closed for comments.