November 19, 2021 – Advisory: Apache Web Server provided with InterSystems kits – Vulnerability reports

InterSystems kits include an Apache web server, which provides a convenient way for customers to interact with the Caché/IRIS Management Portal without needing to install an external web server; however, this web server should never be used for production instances, and customers must install a web server that fits their specific needs and security/risk requirements.

Recent tests have noted some security issues with the currently included Apache web server. Because this is a third-party technology that InterSystems does not control, InterSystems recommends installing a web server version directly obtained from Apache or another third party and disabling the included Apache web server. Our product documentation includes instructions on how to disable the web server provided with our kits. In addition, Apache also offers uninstall instructions that can be found on the Apache website.

InterSystems plans to include a more recent version of the Apache web server in upcoming releases. Similar to the current version, this version also cannot be used for production instances. In future releases of our products, InterSystems will not ship or install any web server; we will provide further updates with the specifics of our plans.