CERT-Bund on Apache HTTP Server vulnerabilities

KISTERS water software in configuration delivered not affected by vulnerabilities

The Computer Emergency Response Team (CERT) of the (German) Federal Administration (CERT-Bund) has published an information brief about the vulnerabilities in the Apache HTTP Server. (You may access the brief at URL: www.cert-bund.de/advisoryshort/CB-K21-1296%20UPDATE%2014.)

Analysis of the use of the Apache HTTP server has shown that KISTERS water software in the configuration delivered by KISTERS are not affected by the vulnerabilities.

Since the type and location of the configuration files differs per operating system, KISTERS cannot provide general instructions for this issue. However, it does recommend that if customers have made their own configurations, they themselves should check operating systems.

Some guidance is offered below:

Windows

The KISTERS configuration has disabled mod_lua. No forward proxy exists on (ProxyRequests on), even if mod_proxy is used.

Linux

  • KISTERS does not deliver the server program httpd, which is an operating system component.
    If a newer httpd version is available in the repository, it can be updated independently via the operating system.
  • The KISTERS configuration has no forward proxy on (ProxyRequests on), even if mod_proxy is used.
  • Under Linux, all mods are usually on by default. mod_lua is not actively used by KISTERS, so it can be deactivated manually as a precaution. Commenting out the mod in the corresponding file and restarting is sufficient.

You may refer to the KISTERS AG news entry about this same topic at the URL www.kisters.de/en/news/current-security-news/2022-02-22-business-unit-water/

Back