Showing results for 
Search instead for 
Did you mean: 

OBAM vulnerable Apache version...

Go to solution

OBAM vulnerable Apache version...


Security is "dinging" us for the following vernable apache version:

# cd /usr/obam/server/bin
# ./httpd -version
Server version: Apache/1.3.9 (Unix)
Server built: Sep 20 2001 18:30:25

I just installed PHCO_35520 (SAM upgrade) and this did not upgrade apache.

Can someone tell me what I must do to upgrade this product. Or what the impact would be of deleting this httpd.

Steve Hinchman
Marco A.
Esteemed Contributor

Re: OBAM vulnerable Apache version...

Hello Steve,

Have you tried the SWA tool, it could tell you exactly the patches and software that you need to avoid security vulnerabilities.

I hope this helps,

You can take the tool from hppt:// search for SWA.


Just unplug and plug in again ....
Mel Burslan
Honored Contributor

Re: OBAM vulnerable Apache version...

if your server is not using any kind of web access to any of the applications, you can safely turn off the httpd daemon by setting the variable APACHE_START=0 in /etc/rc.config.d/apacheconf file

hope this helps.

By the way, in case you want to update the apache web server, just go to

and search for apache for later versions.
UNIX because I majored in cryptology...
Marco A.
Esteemed Contributor

Re: OBAM vulnerable Apache version...

Yes, you can also install a newer version.

In addition..., the right link is...

Best regards,

Just unplug and plug in again ....
Steven E. Protter
Exalted Contributor

Re: OBAM vulnerable Apache version...

Shalom Steve,

Get the latest release of apache 1.3.x from

HP has dropped support for this version of apache and you might be advised to update to the latest 2.0.x version from the site linked above. Search for hpws.

Steven E Protter
Owner of ISN Corporation

Re: OBAM vulnerable Apache version...

These are DoD systems and we stay 6 months behind the latest patch bundles to maximize the testing period for new patches.

I need to leave apache enabled in /etc/rc.config.d because applications are using other installed versions of apache.

What would break if I simply removed httpd from /usr/obam/server/bin?

Mel Burslan
Honored Contributor

Re: OBAM vulnerable Apache version...

As far as I know obam is a user interface management abstraction layer. And the only application using it right out of the box is SAM. If you are not using sam over a web interface, more than likely it will not break anything but again since this is a general purpose application, for the lack of a better term, if some other app was written, dependent on it, you may experience difficulty later, should you choose to remove the binary. Instead, you can rename it to something else to save it and then, if something needs it and cries out for a missing executable, you can restore it with ease.

UNIX because I majored in cryptology...

Re: OBAM vulnerable Apache version...

I am going to rename the httpd exec and see if anything breaks. Thanks for all your responses.
Keith Buck
Respected Contributor

Re: OBAM vulnerable Apache version...


Security Bulletin HPSBUX01047 tells you to disable that version of Apache if installed. Here is the URL to that document:

Some background: There are two versions of OBAM, which is an internal library used for much of the TUI/GUI functionality you see in SAM, swinstall, etc. Obam4 is what you are used to seeing. Obam5 was not widely used, but is the one you are having the problem with (and the one that should be disabled per the above bulletin).

The only two applications that used Obam5 were Service Control Manager (now replaced by HPSIM, which does not use Obam) and an older version of PartitionManager (the new one also does not use Obam).

If you are not using either of these applications, you can safely remove Obam and the products that depend on it (swremove will warn you when you're about to do something dangerous due to corequisites...I just did this the other day and all it took was removing those apps). If you are using those applications, you can upgrade them and then remove Obam. Or, you can apply the alternate workaround listed in the bulletin to turn it off (it is disabled by default).

The standard Apache is still supported by HP and upgrades are still issued.

I'll second the recommendation to use SWA, as it will tell you what HP security bulletins recommend before you get "dinged" by security. It can automatically download all the recommended patches and put them in a depot (and supports alternate sneakernet approaches if you don't have Internet connectivity) and performs full product and manual action analysis as well.

Hope that helps.