October 5, 2021

How to Mitigate the Apache 0-Day Vulnerability With Puppet or Bolt

Security & Compliance
How to & Use Cases

The Apache 0-Day vulnerability could be a major security risk for servers running it. Get an overview of the Apache 0-Day vulnerability and how to mitigate it using Puppet or Bolt.

Table of Contents

What Is Apache 0-Day Vulnerability?

Apache 0-Day is a critical actively exploited path traversal flaw in the Apache web server version 2.4.49. This vulnerability allows attackers to trivially read the contents of any file – and, in some cases, even perform remote code execution (RCE) – on the server that the Apache process has access to.

The Apache 0-Day vulnerability was found to expose highly sensitive information, even as critical as the server's own private SSL certificates.

Puppet Enterprise and Bolt both make it easy to identify vulnerable systems and mitigate the exposure by upgrading the Apache package.

Update: The fix in Apache version 2.4.50 was incomplete. Please follow these instructions to upgrade your nodes to Apache version 2.4.51 from both 2.4.49 and 2.4.50.

How to Use Puppet Enterprise to Mitigate Apache 0-Day

Puppet Enterprise includes a feature called Package Inventory. This will allow you to quickly identify which nodes in your infrastructure are running the vulnerable version of Apache. It's disabled by default, so you'll need to turn it on first.

In the PE Console, find the PE Agent node group. Add the puppet_enterprise::profile::agent class if needed and then set the package_inventory_enabled parameter to true. Use the Run Puppet button to trigger a Puppet run on all nodes. The inventory collection will take effect on all subsequent Puppet runs, so once it's completed, trigger a second Puppet run.

Now use the Packages page to view your infrastructure's package inventory. Filter by the package name "httpd" then click into the package detail page and filter by the version 2.4.49. This now lists all nodes with the vulnerable version.

If the package is managed by Puppet, use the Instances selector to drill in and then click Copy path to quickly find the spot in your codebase you need to update with a newer version. Run Puppet on all nodes once the codebase has been updated.

If you have instances in which the package is not managed by Puppet, then use a Puppet Task to push a package update to these nodes. Create a list of the affected nodes, then use the Package task to force the package to be updated. 

Since some distributions call the package "apache", repeat the above steps with that name too. Find more information about the Package Inventory.

How to Use Puppet Bolt to Mitigate Apache 0-Day

If you don't have Puppet Enterprise, Bolt allows you to use plans to gather information from nodes. Let's start by creating a new project by creating a directory called apache_mitigation. Now cd into that directory and turn it into a Bolt project by running bolt project init.

Just Starting Out? Get Automating with Bolt in a Few Simple Steps

🤔 DOWNLOAD THE GUIDE

A graphic of a guide by Puppet. Title: How to Start Automating in a Few Steps with Bolt

 

You'll want an inventory file so you can address all your nodes. If you don't have one already, then create one. We will use the implicit all target group, or you can create a more specific group if you want to limit the nodes to be inspected.

Then create a new plan to manage the package upgrade process. Run bolt plan new apache_mitigation::upgrade_vulnerable_packages --pp

Add the following content to your new plan file:

plan apache_mitigation::upgrade_vulnerable_packages (
  String     $package,
  String     $vulnerable_version,
  String     $target_version,
  TargetSpec $targets,
) {
  # Get status of package on each target
  $package_status = run_task('package', $targets,
    'name'   => $package,
    'action' => 'status'
  )

  # Select targets that have the vulnerable package installed
  $vulnerable_targets = $package_status.filter_set |$result| {
    $result['version'] == $vulnerable_version
  }.targets

  # Upgrade the package to a non-vulnerable version on each target
  $result = run_task('package', $vulnerable_targets,
    'name'    => $package,
    'action'  => 'upgrade',
    'version' => $target_version
  )

  return $result
}

Since different distributions use different package names, run that plan for both httpd and apache.

bolt plan run apache_mitigation::upgrade_vulnerable_packages package=httpd vulnerable_version=2.4.49 target_version=2.4.50 --targets=all

bolt plan run apache_mitigation::upgrade_vulnerable_packages package=apache vulnerable_version=2.4.49 target_version=2.4.50 --targets=all

How to Verify the Apache 0-Day Mitigation

Whether you choose to use Puppet Enterprise or Bolt to mitigate your exposure, once you're finished you can go back and verify that the vulnerable nodes have been upgraded. On Puppet Enterprise, you'd go back to the Packages page in the PE Console and drill down to the httpd or apache packages to validate versions. And if you used Bolt, you'd just run the apache_mitigation::upgrade_vulnerable_packages plan again and validate that the output is empty.

Get Started With Puppet Enterprise

See for yourself how easy it is to get started with Puppet Enterprise. 

START MY TRIAL

Learn More