InterSystems Official
· Nov 19, 2021

Advisory: Apache Web Server provided with InterSystems kits – Vulnerability reports

November 19, 2021 - Advisory: Apache Web Server provided with InterSystems kits – Vulnerability reports

InterSystems kits include an Apache web server, which provides a convenient way for customers to interact with the Caché/IRIS Management Portal without needing to install an external web server; however, this web server should never be used for production instances, and customers must install a web server that fits their specific needs and security/risk requirements.

Recent tests have noted some security issues with the currently included Apache web server. Because this is a third-party technology that InterSystems does not control, InterSystems recommends installing a web server version directly obtained from Apache or another third party and disabling the included Apache web server. Our product documentation includes instructions on how to disable the web server provided with our kits. In addition, Apache also offers uninstall instructions that can be found on the Apache website.

InterSystems plans to include a more recent version of the Apache web server in upcoming releases. Similar to the current version, this version also cannot be used for production instances. In future releases of our products, InterSystems will not ship or install any web server; we will provide further updates with the specifics of our plans.

Discussion (2)1
Log in or sign up to continue

We have always used independent web servers for production.

However, with the release of container deployment, can I get clarity on the webgateway container provided by ISC is NOT affected by the same vulnerabilities? I understood this to be a full apache instance with modules pre-installed.

If so, are there any recommended practices one should use for this container in a production environment?

Hi @Trevor Strong 

The container image simply installs the standard Apache package in the container and adds the CSP add-on.

For any update on the Apache web server we should all keep an eye on https://www.cvedetails.com/product/66/Apache-Http-Server.html?vendor_id=45 and consider patching/upgrading/re-building as necessary and according to the security policies and best practices of the organizations we work for.

HTH