Our campus IT has raised a couple of concerns about CVE vulnerabilities related to running Omeka on Apache. Does anyone know if these CVEs are actual concerns for Omeka?
#7: 150462 Apache HTTP Server Buffer Overflow Vulnerability (CVE-2021-44790)
#8: 150461 Apache HTTP Server mod_proxy Server Side Request Forgery (SSRF) Vulnerability (CVE-2021-40438)
#11: 150456 Apache HTTP Server NULL pointer dereference and Server Side Request Forgery (SSRF) Vulnerability (CVE-2021-44224)
Specifically, these vulnerabilities are only problems if the server or things on it are using mod_lua, mod_proxy and “forward proxy functionality.”
Are those used at all in Omeka?
Omeka doesn’t use or depend on any of those features. Whether or not any of them are used by something else would depend on your particular server configuration, independent of Omeka.
Also note that for all of those that you’ve listed, the issues were already fixed with updates to the distribution’s Apache packages, so if your server is using the up-to-date httpd package none of these apply anyway.
We are on Red Hat Enterprise, which apparently uses a different numbering schema than official Apache (for reasons that are unclear to me) but it’s good to know Omeka, at least, doesn’t use those.