cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Did you know you can set a signature that will be added to all your posts? Set it here! X

Apache Question

borourke
10-Marble
10-Marble
‎Feb 18, 2010 04:48 PM
‎Feb 18, 2010 04:48 PM

Apache Question

We have just been informed that there is a security vulnerablility in our production version of Apache. Is it possible to upgrade just the Apache version in place? Any known pitfalls? Thanks in advance!

Send lawyers, guns, and money...the sh!t has hit the fan!
Labels:
0 Kudos
Notify Moderator
4 REPLIES 4
achukwuka
1-Newbie
1-Newbie
(To:borourke)
‎Feb 18, 2010 04:58 PM
‎Feb 18, 2010 04:58 PM

Bill,

You can, but you have to use the version supported by PTC. PTC has customized apache to interact with Windchill in special ways, so if you go to apache.org and download one, it will not work. In summary you are limited to the version that has been certified by PTC to work with Windchill. I was dinged by security audit sometime ago and my justification for not upgrading apache was that the version they recommended has not been certified by PTC to work with Windchill and until PTC certifies that version, I can not upgrade apache to the version.

HTH,


Alexius C. Chukwuka
IT Analyst, PDP Systems
John Deere Power Systems
Product Engineering Center
*Voice: 319-292-8575
*Mobile: 319-429-5336
*FaxFax:319-292-6282
*E-Mail: -

CONFIDENTIALITY. This electronic mail and any files transmitted with it may contain information proprietary to Deere & Company, or one of its subsidiaries or affiliates, and are intended solely for the use of the individual or entity to whom they are addressed, shall be maintained in confidence and not disclosed to third parties without the written consent of the sender. If you are not the intended recipient or the person responsible for delivering the electronic mail to the intended recipient, be advised that you have received this electronic mail in error and that any use, dissemination, forwarding, printing, or copying of this electronic mail is strictly prohibited. If you have received this electronic mail in error, please immediately notify the sender by return mail.


0 Kudos
Notify Moderator
BrianGeary
1-Newbie
1-Newbie
(To:borourke)
‎Feb 18, 2010 05:41 PM
‎Feb 18, 2010 05:41 PM

You're pretty much stuck with the version supplied by PTC. You can place
a support call with them to see if its a legitimate concern - I've read in
other messages that the supposed security vulnerabilities have either
already been patched by PTC, or rendered unusable so I wouldn't panic
before checking with them.


Brian Geary
R&D Systems Analyst
Herman Miller, Inc.
0 Kudos
Notify Moderator
davehaigh
11-Garnet
11-Garnet
(To:borourke)
‎Feb 18, 2010 06:00 PM
‎Feb 18, 2010 06:00 PM

Didn't Jess Holle of PTC just address this issue? See the hi-lited text below.

Feb 02, 2010 11:42 AMReply Reply w/ Quote

I mis-read your original post. I had thought you were looking for
Tomcat 6.0.20 or higher rather than 6.0.21 or higher.

6.0.21 through 6.0.23 were never publicly released as these attempted
releases all had serious issues.

6.0.24 came out quite recently. If you are sufficiently concerned, then
the move to test and integrate Tomcat 6.0.24 could potentially be
expedited and given a higher priority. I am not aware of any
significant vulnerability that applies to Windchill's use of Tomcat that
is addressed by 6.0.24, though. The only issue I can find is
CVE-2009-3555, which only applies if one is using Tomcat to serve HTTPS
requests directly -- rather than using Apache to do so and having it
delegate to Tomcat. As PTC /only/ supports the Apache+Tomcat
deployment, this does not impact Windchill's use of Tomcat.

0 Kudos
Notify Moderator
jessh
5-Regular Member
5-Regular Member
(To:borourke)
‎Feb 18, 2010 11:57 PM
‎Feb 18, 2010 11:57 PM

I should clear up some things on this thread.

There is a big difference between Apache and Tomcat here.

The original question here was about Apache:

"We have just been informed that there is a security vulnerability
in our production version of Apache. Is it possible to upgrade just
the Apache version in place? Any known pitfalls? Thanks in advance!"

whereas David is quoting a thread about Tomcat below.

I can't be certain which the original question intended to address --
only what it addressed literally.

As far as Apache is concerned:

* PTC supports other versions than those supplied by PTC. The
documentation includes instructions on applying a configuration
file overlay on top of a non-PTC Apache so that it can be
configured in a manner consistent with a PTC Apache. There are
plenty of details to get right here, e.g. the non-PTC supplied
Apache must supply all the modules PTC uses, must be of at least a
given minimum version, must be in the standard Apache layout, and
so on. Overall, it is far more work to get right than the PTC
supplied Apache, but it is an option if you really need it.
* PTC supplies the later versions of Apache in most every MOR.
Essentially each new Apache version is added to the MOR under
development at the time. Also, one can use Apaches from later
MORs with earlier MOR levels of Windchill.
* PTC also makes later Apache versions available on an expedited
basis via an early access page on the support site. These
releases are provided prior to the extensive testing that would
take place in an MOR cycle -- and thus are available sooner but
are less tested.
* Many Apache security issues do not apply to out-of-the-box use of
Apache by Windchill as many issues are in modules which are not
used by Windchill out-of-the-box. Some are quite applicable,
however, and PTC endeavors to make Apache updates available on a
timely basis.

As far as Tomcat is concerned:

* PTC does *not* support other versions that those supplied by PTC.
There are numerrous reasons for this, but the biggest are (1)
Apache is native code with various build options there are some
use cases for using one's own special Apache, whereas Tomcat is
Java code with standard cross-platform binaries for a given
version and (2) version (and patch) changes in Tomcat have a
bigger impact on Windchill behavior than version changes in Apache.
* New Tomcat versions occur fairly infrequently. PTC incorporates
these in MORs where this is deemed worthwhile (whether due to
security, performance, stability, or robustness fixes). As with
Apache, one can use Tomcats from later MORs with earlier MOR
levels of Windchill.
* Since Windchill deployments of Tomcat are behind a web server
(Apache or IIS), it is fairly infrequent to have a new Tomcat
version containing a security issue that applies to Windchill
deployments. It is rarer still for such an issue to be serious
(rather than a minor reduction in security-through-obscurity
through exposing JSP source code, for instance*).

--
Jess Holle

* I count exposure of JSP source code as a minor issue because no one
should ever put sensitive information, e.g. passwords, in JSP source
code. To the best of my knowledge no JSP in the product does anything
of the sort. If you believe you have such JSPs, then JSP source code
exposure is much more serious. If you have no such JSPs, then this
hiding JSP source is simply security-through-obscurity, which provides
little to no additional security.

0 Kudos
Notify Moderator
Top Tags