Checkmk Apache Install

CMK version: 2.1.0.p17
OS version: Ubumtu 22.04

It looks like when installing Checkmk that Apache2 gets installed with it. The version appears to be 2.4.52. This version does not pass a nessus vulnerably scan. Its listed as a critical release (ID 158900) so I was trying to fix it. Does not look like I was able to upgrade to 2.4.53 or 4 on this install. Therefore I created a new server and installed 2.4.54 and then tried to installed Checkmk. I dont see a way to not use the version that comes packaged with Checkmk and so it still installs the older version and reports that 2.4.52 is installed.
Is there a option when installing Checkmk to not include the this version of Apache2 or are there plans to create a release that fixes this issue?
Thanks

The Checkmk server packages have a dependency to the Apache HTTPD (package apache2 on Debian/Ubuntu), so this gets installed automatically.

A Nessus scan is only limited helpful when running against a webserver from a Linux distribution. It just compares the version string agains the “latest” available version. All major Linux distributions do not deliver the latest version, but backport security fixes to their fixed versions of older software packages.

You can stop Nessus from complaining by fine tuning the Apache HTTPD to stop disclosing it’s version number. In Debian/Ubuntu, this is done in /etc/apache2/conf-available/security.conf.

The Apache web server installed indirectly through Checkmk installation has other issues. At least on Debian (not verified on other distros), Checkmk has also a dependency on PHP, and installing both Apache and PHP leads to an activated PHP engine on the frontend Apache, although this is not required for Checkmk. Moreover, it automatically switches Apache from mpm_event (the default on newer Apache HTTPD server and very fast) to mpm_prefork (much slower).

On CentOS/RHEL derivates, there are similar issues. Apache HTTPD is there automatically installed with security relevant modules like cgi, suexec or webdav turned on, although they are not needed by Checkmk.

2 Likes

Thanks, if the httpd dependency is already installed and running should it not default to that. You are correct that it hard to find an install of 2.4.54 package with a distribution. In my case I had to build it from source. I was hoping that I could find in one the config files of Checkmk where it points to the apache install and change it to redirect to mine but no luck so far.
Since I have to report vulnerability scans, not sure if I can mask it to say its fixed. Unless I can show that version 2.4.52 that’s installed is not subject to this issue.

Hi,

we don’t ship Apache and we do not pin a exact version.
If you look at the deb file:

$ dpkg -I check-mk-enterprise-2.1.0p20_0.jammy_amd64.deb
[...]
Depends: debconf (>= 0.5) | debconf-2.0, libcap2-bin, cron, time, traceroute, curl, dialog, dnsutils, graphviz, apache2, apache2-utils, libevent-2.1-7, libltdl7, libnl-3-200, libpango-1.0-0, libperl5.34, libreadline8, libuuid1, libxml2, php-cli, php-cgi, php-gd, php-sqlite3, php-json, php-pear, rsync, smbclient, rpcbind, unzip, xinetd, freeradius-utils, libpcap0.8, rpm, binutils, lcab, libgsf-1-114, libglib2.0-0, cpio, libfl2, poppler-utils, libffi8ubuntu1, libpq5
[...]

So we ask the OS to install apache2 for us. So patches for apache have to come from your OS.

According to Apache 2.4.x < 2.4.53 Multiple Vulnerabilities | Tenable® its about CVE-2022-22719, CVE-2022-22720, CVE-2022-22721 and CVE-2022-23943.

You can check CVE-2022-37436 | Ubuntu for the Version number that vulnerability was fixed in. (2.4.52-1ubuntu2)

Even if we take a more recent Apache vulnerability: CVE-2022-37436 was fixed with 2.4.52-1ubuntu4.3

You can view details about your local apache2 package

$ apt show apache2
Package: apache2
Version: 2.4.52-1ubuntu4.3
[...]

So according to the Security people of Ubuntu my system has the patches for these vulnerabilities. Yours might as well.
Hope this helps.

1 Like

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.