ID: IRCNE2014022096
Date: 2013-02-09
According to "zdnet", very few Apache web servers are running the current, fully-patched version of the software, according to research by Netcraft. Some very popular sites are running very old, vulnerable and unsupported versions.
The latest version of the Apache Stable Release is 2.4.7, released November 25, 2013. Very few sites are running this version. In fact, less than 1 percent of sites are reporting that they run any version in the 2.4 branch, despite Apache urging users to do so. In fact, Apache servers are overwhelmingly running the "Legacy Release," i.e. the 2.2 branch, the latest version of which is 2.2.26, released November 18, 2013.
Even version 1.3.x, at roughly 6 million sites, is far more popular than the Stable Release. The most popular such site is Weather Underground, which runs Apache 1.3.42.
As Netcraft notes, over half of Apache web sites hide the version number, although further tests may indicate the version. By the same token, some servers with a vulnerable version number may not be vulnerable to some of that version's flaws; for example, Red Hat Linux provides a backporting feature by which fixes for later versions may be applied to an earlier version.
But, as best as we can tell, the 2.2.x branch is dominant. It is still distributed by many third parties, such as Red Hat. And many sites for which security is a prominent concern, such as OpenSSL, run old versions. OpenSSL.org runs Apache 2.2.22 on Ubuntu Linux.
- 3