While doing our quarterly PCI compliance network scan, there are many “high” vulnerabilities it picked up on our FreePBX Distro server, Apache 2.4.6 and PHP 5.6 are the two things it’s most unhappy about. We use one commercial module, so we are required to run the FreePBX Distro. We have multiple remote locations, so we must have web access to the FreePBX server for our digium phones to get firmware updates, etc.
With that state of affairs of cyber attacks, having these very old version of Apache and PHP running are getting more and more scary. Is there a way we can safely upgrade our Apache to something much more current on the FreePBX Distro? I know PHP 7 support was added in FreePBX 16, but we haven’t upgraded to 16 yet, so that may present it’s own series of issues.
Also on a related note, is there any time frame when a new FreePBX distro based on an updated OS will be released? Or if/when commercial modules will ever be supported on something other than the distro?(i.e. debian)
Your security scanners might be doing a very simple httpd -v to get the version information on Apache, which doesn’t tell the whole story. The current version of apache with FreePBX distro is 2.4.6-93.el7 which fixes CVE-2017-15710, CVE-2018-1301, CVE-2018-17199.
Yes, it’s still a fairly old version of apache, but it might not be quite as vulnerable as what your compliance scans are saying.
There is nothing yet, which is why I offered the small bit of consolation I could on the older (but patched) apache version. We are all waiting to find out what the plan will be for FreePBX 17+. By the way, upgrading to 16 is straightforward and at least you will get to newer php binaries that way.