NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
ReadyNAS 516 - Failing Security Scan as End Of Life with Apache 2.2.34 , Need to Upgrade to 2.4.x
When running a security scan on the ReadyNAS 516 it comes up with a security issue due to Apache 2.2.x reaching end of life. I have updated to the most current firmware but it looks like Apache is st...
We are evaluating upgrading to apache 2.4 but have no imminent plans for an update to this.
If you try updating it yourself there’s a strong chance it will break the http/s service for the NAS. You could experiment using the VM.
mdgm,
This puts us into a predicament, we cannot have it fail a security audit but also cannot remove it at this time. What do you mean by experiment using the vm? If we were to upgrade and say it broke HTTP/s, would there be a way to revert the upgrade and not lose the data?
Upgrading from 2.2 to 2.4 would be a major undertaking. It's not just a matter of updating packages it's also updating the configuration and making sure that the appropriate configuration is set when changes are made in the GUI etc.
We do backport patches from various packages as we need to from time to time.
Also whilst most of the apache2 packages we use are the 2.2.x version, we do use a 2.4.x version of apache2-utils
In any case we don't recommend making http/s on the NAS publicly accessible on the internet and you should only allow those you trust to access your LAN.
You can run ReadyNAS OS 6 in a Virtual Machine. If you're going to experiment it's better to replicate your setup (apps etc.) and experiment with that rather than on a production system.
mdgm,
I understand it is a major undertaking but either way it is a security risk that should be mitigated to protect the customers. Internal or External it is still tagged as a "high" risk by scanners such as NESSUS, https://www.tenable.com/plugins/nessus/34460 (take a look at the CVSS information), which needs to be taken care of. Systems can be compromised on a LAN as well, so this is something that needs to be fixed sooner than later as more attacks are happening on the LAN. Not having it updated by Netgear and not being able to safely update it as a customer puts the customer in a bad predicament.
Many companies simply won't deploy products that fail security scans, so I agree that Netgear needs to ensure that their products pass those scans.
Another path is to report the issue here: https://bugcrowd.com/netgearkudos
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
