Our network runs Sophos Endpoint clients using an Update Cache and Message Relay server. We've recently run a security audit and discovered the Update Cache server has multiple security vulnerabilities.
The Sophos Update Cache security vulnerabilities include:
- Apache 2.4.37, which has a dozen or so vulnerabilities, rating from important to moderate to low.
- HTTP TRACE/TRACK method enabled - this is for debugging purposes and considered a security risk in a production environment.
Is there documentation from Sophos on how to mitigate these vulnerabilities, or plans to release an update with them corrected?
References
Apache HTTP Server 2.4 vulnerabilities
https://httpd.apache.org/security/vulnerabilities_24.html
Apache Cross-Site Tracing issues
http://www.apacheweek.com/issues/03-01-24
This thread was automatically locked due to age.
