CVE-2021-40438 was brought to the iManage Security team for investigation, and they've found that the Apache vulnerability can be exploited under certain conditions. This issue applies to all on-premise Work Server versions and is designated as a critical security issue.
This issue does not apply to iManage Cloud customers.
Issue
On-premises versions of the following iManage products are affected by CVE-2021-40438 for Apache HTTP Server:
iManage Work Server 10.2.2 (10.2.2.260) and later
iManage Threat Manager 1.x and 10.x
iManage Extract
Note: Work Server versions 9.4, 9.5, and 10.0 - 10.2.2.259 are also impacted by the Apache vulnerability. Due to previously reported security vulnerabilities for these Work Server versions, iManage recommends that you upgrade to a minimum version of 10.2.260 and complete the required steps to block the Apache vulnerability for Work Server.
Refer to the following article for details regarding CVE-2021-40438.
Refer to the following sections for the action steps to remediate the Apache HTTP Server security vulnerability on your on-premises environment.
iManage Work Server
Apache HTTP Server is integrated into the iManage Work Server installation. iManage stores the Apache configuration settings for Work Server in a configuration file named worksite.conf. Adding a new configuration setting to this file allows you to block the Apache vulnerability.
Complete the following steps on each iManage Work Server in your on-premises environment to run a script iManage are providing to automate the configuration update:
1. Sign in as an administrator to the server running iManage Work Server.
2. Download the UpdateWorkSiteConf.ps1* script that automatically applies the necessary Apache HTTP Server configuration update to the worksite.conf file.
3. Open PowerShell with the Run as administrator option.
4. In PowerShell, navigate to and run the UpdateWorkSiteConf.ps1 script to apply the required configuration update.
5. Review the status message reported by the script after it completes. The script reports one of the following statuses to you:
- Configuration file <path to worksite.conf file> has successfully been updated. This message indicates that the necessary configuration change to block the vulnerability has been applied.
- Configuration file <path to worksite.conf file> has already been updated. This message indicates that the necessary configuration change to block the vulnerability was already applied and no further actions are required. - Add-Content : Access to the path <path to worksite.conf file> is denied. The script was unable to open and add the necessary configuration change due to an access permissions issue. - Cannot find Apache config file. Please make sure the current user account has access to <path to worksite.conf file> and then try again. The script was unable to locate or access the configuration file, possibly due to an access permissions issue, and couldn't add the necessary configuration change.
6. If the configuration file update completed successfully, restart the iManage Work Server service for the changes to take effect.
7. Repeat steps 1-6 for each Work Server in your environment.
The UpdateWorkSiteConf.ps1 script adds the following entry to the end of the Apache configuration file for Work Server (worksite.conf):
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond "%{QUERY_STRING}" "unix:" [NC]
RewriteRule "." "-" [F]
</IfModule>
The configuration change blocks the ability to exploit the vulnerability. A future release of Work Server will also include an Apache update that includes a patch to address this issue.
*Note: You may receive a pop up warning that this link may cause harm to your computer. This occurs as the file is recognised as a script that can execute "code". If you see this pop up please select "Keep". If for some reason you are unable to download the file you are able to manually update the worksite.conf file with the information after step 7.
iManage Threat Manager
iManage Threat Manager 10.2.0.1 is now available, and it includes an Apache update that addresses this issue. To resolve this issue for Threat Manager, upgrade to version 10.2.0.1.
Refer to the Threat Manager release page for the new version download and related resources.
iManage Extract
The iManage Extract image (OVF file) includes a default configuration that automatically updates required components regularly, including Apache.
If your iManage Extract system has internet access, the patched version of Apache should already be installed. Refer to the Validate your version of Apache on Ubuntu section for steps to verify the necessary update is installed.
If your iManage Extract system does not currently have access to the internet to run the unattended upgrade, you must manually install the update. Refer to the Manually install the Apache update for Ubuntu section for steps to install the necessary update.
Validate your version of Apache on Ubuntu
To validate if you have the necessary minimum version of Apache for iManage Extract, complete the following steps:
1. Sign in to the Ubuntu server hosting iManage Extract.
2. Run the following command to return the version of Apache installed on Ubuntu - dpkg -1 | grep apache2
3. Verify that the command returns a minimum version of 2.4.41-4ubuntu3.6 to ensure the Apache vulnerability is addressed.
This version is different because Ubuntu provides their own packaging for Apache. The fix for CVE-2021-40438 is referenced on the following Ubuntu release page for version 2.4.41-4ubuntu3.6.
Manually install the Apache update for Ubuntu
If the iManage Extract image does not currently have access to the internet to run the unattended upgrade, you must manually install the update.
To manually install the update, complete the following steps:
1. Sign in to the Ubuntu server hosting iManage Extract.
2. Connect the server to the internet.
3. Run the following command to start the upgrade - sudo apt update && sudo unattended-upgrade -d
After the upgrade completes, refer to the Validate your version of Apache on Ubuntu section for steps to verify the necessary update is installed.
What if I need help?
If you would like assistance applying the remedies to fix the Apache vulnerability please contact support.