This document describes the support position of Sustaining Engineering relative to a Trellix application. This document addresses concerns about ePO and the modules installed with the Apache HTTP server.
Description
There have been several ePO escalations dealing with the Apache HTTP server that are specific to the modules installed. Some of these escalations have had associated vulnerabilities.
Research and Conclusions
Below is a list of the installed modules included with the Apache HTTP server included in ePO. You can find more details about Apache vulnerabilities on this page from the
Apache HTTP Server Project.
Modules Installed:
LoadModule ssl_module modules/mod_ssl.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule headers_module modules/mod_headers.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
Use the instructions below to confirm what modules are loaded on the ePO server or any remote Agent Handler:
- Log on to the server hosting ePO or the Agent Handler.
- Go to <ePO or AH Installation Directory>\Apache2\Conf
- Edit the httpd.conf file.
- Search for the module name you're verifying. For example, if you want to see if mod_proxy is loaded, you would search for mod_proxy.
Look for a link similar to the one provided below, using the mod_proxy example:
#LoadModule proxy_module modules/mod_proxy.so
The # at the beginning comments the line out, meaning the module isn't loaded. If the line is missing entirely, the module isn't loaded. If the line is present, but doesn't begin with a #, the module is loaded.
Disclaimer
Any future product release dates mentioned in this statement are intended to outline our general product direction. They mustn't be relied on in making a purchasing decision:
- The product release dates are for information purposes only, and can't be incorporated into any contract.
- The product release dates aren't a commitment, promise, or legal obligation to deliver any material, code, or functionality.
- The development, release, and timing of any features or functionality described for our products remains at our sole discretion. The release might be changed or canceled at any time.