FreePBX Distro Apache Version

While doing our quarterly PCI compliance network scan, there are many “high” vulnerabilities it picked up on our FreePBX Distro server, Apache 2.4.6 and PHP 5.6 are the two things it’s most unhappy about. We use one commercial module, so we are required to run the FreePBX Distro. We have multiple remote locations, so we must have web access to the FreePBX server for our digium phones to get firmware updates, etc.

With that state of affairs of cyber attacks, having these very old version of Apache and PHP running are getting more and more scary. Is there a way we can safely upgrade our Apache to something much more current on the FreePBX Distro? I know PHP 7 support was added in FreePBX 16, but we haven’t upgraded to 16 yet, so that may present it’s own series of issues.

Also on a related note, is there any time frame when a new FreePBX distro based on an updated OS will be released? Or if/when commercial modules will ever be supported on something other than the distro?(i.e. debian)

Your security scanners might be doing a very simple httpd -v to get the version information on Apache, which doesn’t tell the whole story. The current version of apache with FreePBX distro is 2.4.6-93.el7 which fixes CVE-2017-15710, CVE-2018-1301, CVE-2018-17199.

Yes, it’s still a fairly old version of apache, but it might not be quite as vulnerable as what your compliance scans are saying.

As @billsimon stated your versions may not be as old as your PCI audit suggest. More information here: Security Backporting Practice - Red Hat Customer Portal. However, you may want to look into working in an upgrade path/plan.

1 Like

I would love an upgrade path/plan, that’s why I created this post. Is there such a path or plan that exists for someone needing to run the FreePBX Distro?

They used to keep a roadmap here, but doesn’t look like 16 is listed.

Saw this post a ways back, does version 16 have php7.x?

If you are looking for something concrete, you’ll need to contact Sangoma directly.

There is nothing yet, which is why I offered the small bit of consolation I could on the older (but patched) apache version. We are all waiting to find out what the plan will be for FreePBX 17+. By the way, upgrading to 16 is straightforward and at least you will get to newer php binaries that way.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.