Should a financial institution be using a version of Apache built in 2006 on their secure server?
September 15, 2011 6:42 PM Subscribe
Does this website error message indicate that my financial institution is using a version of Apache built in 2006 on their secure server? Should I be concerned about that? If so, what should I do about it?
I just registered for online account access with an insurance company. After setting up my name and password I was entering more info and the website threw up an unformatted message saying something to the effect that "the service is temporarily unavailable."
Five minutes later I get an e-mail confirmation about registering so I go back to log in and see if I can finish entering my info. My attempt to log in yields another unformatted page saying
Now, all this is happening on a supposedly secure site (https) and the pages are asking for things like my Social Security Number, etc.
The fact that they appear to be using a system built almost five years and possibly a 5 year-old version of Apache makes me think that they would be vulnerable to a number of long-known security exploits. Is that a silly naive reaction, or am I right to be concerned?
If I'm right to be concerned, is there anything I can do about it? It's hard enough to get through to a live person at any large company these days even for simple business. I can't imagine how long I'd be on hold trying to find someone to talk about the fact that they're using a dated build of Apache.
I just registered for online account access with an insurance company. After setting up my name and password I was entering more info and the website threw up an unformatted message saying something to the effect that "the service is temporarily unavailable."
Five minutes later I get an e-mail confirmation about registering so I go back to log in and see if I can finish entering my info. My attempt to log in yields another unformatted page saying
Failure of APACHE bridge:The title of this window is "Weblogic Bridge Message".
No backend server available for connection: timed out after 10 seconds
Build date/time: Dec 4 2006 15:12:12
Change Number: 871803
Now, all this is happening on a supposedly secure site (https) and the pages are asking for things like my Social Security Number, etc.
The fact that they appear to be using a system built almost five years and possibly a 5 year-old version of Apache makes me think that they would be vulnerable to a number of long-known security exploits. Is that a silly naive reaction, or am I right to be concerned?
If I'm right to be concerned, is there anything I can do about it? It's hard enough to get through to a live person at any large company these days even for simple business. I can't imagine how long I'd be on hold trying to find someone to talk about the fact that they're using a dated build of Apache.
I know very little about this but I do know that it's relatively common to forge the apache build date and number in your headers, specifically to make it slightly harder to launch a build-specific attack.
posted by range at 6:54 PM on September 15, 2011 [1 favorite]
posted by range at 6:54 PM on September 15, 2011 [1 favorite]
It isn't a version of Apache that was built at that time, it's the Apache bridge. Weblogic is a Java application server; chances are, it's interoperating with their front-end Apache server via the "bridge" component that threw the error, and the build date of that bridge component is Dec. 4 2006. It isn't uncommon for application servers and other middleware to be old and stable; the front-end web server handles most public-facing security needs, so it's not a concern.
posted by sonic meat machine at 6:55 PM on September 15, 2011 [2 favorites]
posted by sonic meat machine at 6:55 PM on September 15, 2011 [2 favorites]
Yeah, I wouldn't worry about it, and new software isn't any more likely to be secure than older software in any case.
posted by empath at 7:17 PM on September 15, 2011
posted by empath at 7:17 PM on September 15, 2011
new software isn't any more likely to be secure than older software in any case
That's not really a supportable assertion in general. Whether updates improve or worsen security depends on what the updates are for.
For example, it's simply untrue to assert that Windows XP with Service Pack 3 and all current hotfixes is no more secure than Windows XP as originally released. Hundreds of exploits that can be run against the older system simply don't work on the newer one, simply because most of what's been changed consists of fixes for old security holes. And yes this is Microsoft, but not even I believe that on balance their updates introduce at least as many new vulnerabilities as they fix old ones.
On the other hand, software updates driven primarily by a desire to add new features may well worsen security over time.
posted by flabdablet at 9:46 PM on September 15, 2011 [1 favorite]
That's not really a supportable assertion in general. Whether updates improve or worsen security depends on what the updates are for.
For example, it's simply untrue to assert that Windows XP with Service Pack 3 and all current hotfixes is no more secure than Windows XP as originally released. Hundreds of exploits that can be run against the older system simply don't work on the newer one, simply because most of what's been changed consists of fixes for old security holes. And yes this is Microsoft, but not even I believe that on balance their updates introduce at least as many new vulnerabilities as they fix old ones.
On the other hand, software updates driven primarily by a desire to add new features may well worsen security over time.
posted by flabdablet at 9:46 PM on September 15, 2011 [1 favorite]
Enterprise server software tends to be very old and stable, and is maintained and patched against new threats for many years. Maintenance programmers in now-obsolete languages make lots of bank on this-their pay is well above-average because their skills are in shortage. Many banks still have a 40-year-old mainframes chugging away somewhere.
posted by evariste at 10:33 PM on September 15, 2011
posted by evariste at 10:33 PM on September 15, 2011
I would be concerned, and at least ask. (they _will_ say everything is okay, but you will have to gauge for yourself if you believe them)
My day to day gig is reviewing systems like this. Odds are this system was built years ago and since its not actively crashing it hasn't been updated since then.
posted by bottlebrushtree at 11:01 PM on September 15, 2011
My day to day gig is reviewing systems like this. Odds are this system was built years ago and since its not actively crashing it hasn't been updated since then.
posted by bottlebrushtree at 11:01 PM on September 15, 2011
Weblogic, from way back before Oracle bought BEA. Given the build date, it looks like it's Weblogic 9.1.
Just as an example, there is a vulnerability in that Apache connector (CVE-2008-3257) that allows remote code execution in that version (all versions below 10.3). There's even an exploit floating around for it. Oracle says it's important: http://www.oracle.com/technetwork/topics/security/alert-cve-2008-3257-084687.html
posted by graftole at 6:51 AM on September 16, 2011
Just as an example, there is a vulnerability in that Apache connector (CVE-2008-3257) that allows remote code execution in that version (all versions below 10.3). There's even an exploit floating around for it. Oracle says it's important: http://www.oracle.com/technetwork/topics/security/alert-cve-2008-3257-084687.html
posted by graftole at 6:51 AM on September 16, 2011
Corporate applications typically do not have a single "secure server" that for handling business. Usually there are many layers of security and many different backend servers involved in any financial transaction.
The Apache server is the outside layer of security. It's like the guard at gatehouse. The actual code that has direct access to sensitive information (in this case, running on a server called Weblogic) should be protected by other security mechanisms. For a financial institution, it's not unusual for the code that handles financial transactions to be running on an old mainframe.
I don't think it would be worth it to try to contact anyone about the version of the Apache server because:
1) It's hard to get hold of someone who can actually do someone about this
2) It would be bad security practice to acknowledge security weaknesses to a stranger
3) Most likely whoever is in charge already knows about this and can't or won't update the software
posted by kenliu at 10:01 AM on September 16, 2011
The Apache server is the outside layer of security. It's like the guard at gatehouse. The actual code that has direct access to sensitive information (in this case, running on a server called Weblogic) should be protected by other security mechanisms. For a financial institution, it's not unusual for the code that handles financial transactions to be running on an old mainframe.
I don't think it would be worth it to try to contact anyone about the version of the Apache server because:
1) It's hard to get hold of someone who can actually do someone about this
2) It would be bad security practice to acknowledge security weaknesses to a stranger
3) Most likely whoever is in charge already knows about this and can't or won't update the software
posted by kenliu at 10:01 AM on September 16, 2011
This thread is closed to new comments.
And you're likely correct that you wouldn't be able to talk with anyone at this company knowledgeable enough about network security.
posted by dfriedman at 6:51 PM on September 15, 2011