Applies to: All VMS
Summary
Periodically, users may receive alerts from vulnerability scanners flagging insecure WAVE versions in the VMS. These alerts are typically false positives, as the VMS does not use Apache. However, the Apache name appears in the HTTP headers of the VMS WebAdmin application due to legacy third-party integrations designed to ensure compatibility with known web servers, firewalls, and antivirus systems, particularly older ones.
Verifying Apache Installation
To confirm whether Apache is installed on your system:
- On Linux: Run the command apache2 -v in the terminal. If Apache is not installed, a "command not recognized" error or a similar message appears.
- On Windows: Check for an Apache installation directory, typically located in C:\Program Files or C:\Program Files (x86). If no such directory exists, Apache is not installed.
If Apache is not installed, you can safely disregard the scanner's Apache-related alerts.
Resolving the False Positive by Removing Apache Headers (WAVE Side)
If there are no legacy integrations dependent on the current configuration, you can modify the VMS WebAdmin settings to prevent the Apache headers from appearing.
- Navigate to the WebAdmin interface, advanced settings:
https://<server>:7001/#/settings/advanced
- Scroll to the serverHeader field.
By default, the value will look like this: $vmsName/$vmsVersion ($company) $compatibility
- Update the value to: $vmsName/$vmsVersion.
- After making the change, restart the media server application to apply the updated configuration.
- With the default configuration, the serverHeader might appear as:
Server: WAVE/6.0.0.39503 (Network Optix) Apache/2.4.16 (Unix)
After updating the serverHeader, it should display: Server: WAVE/6.0.0.39503
- After making the change and restarting the service, run the scanner again. The false positive should no longer appear.
These steps address the false positive related to Apache in the VMS. If legacy integrations are required, consider the implications of modifying the serverHeader before proceeding.
Comments
0 comments
Article is closed for comments.