I would like to bring something to everyone's attention as I am honestly shocked about this.

As I am sure everyone knows, Apache suffered from a few critical vulnerabilities recently. Since Desktop Central and the Distribution Servers make use of Apache, I emailed Support at the beginning of October, asking them if they can update Apache from version 2.4.46 to version 2.4.51. End of October they provided me with manual steps on how to update Apache on the Desktop Central servers and the Distribution Servers. They also included updates for OpenSSL.

A few weeks later I upgraded to build 10.1.2127.18. Whereas the Apache version on the Desktop Central server did not change, the Apache versions on the Distribution Servers were downgraded to the outdated version again. I was advised to run the manual steps again. I was wondering why they did not include the most recent version in the hotfix and why manual steps were still required.

Some time later I upgraded to build 10.1.2127.20. Again, the Apache version was downgraded and manual steps had to be run.

Recently we upgraded to build 10.1.2137.9 and guess what, the Apache version was once again downgraded. I don't know what to say to this anymore. Why does it have to take months before this is fixed once and for all.

I have lost track of the number of tickets I opened due to outdated and insecure Apache, Java, Struts, Log4j, Nginx... components over the years. I get the impression that ManageEngine sometimes only acts once their customers raise concerns, either via tickets or forum posts. This should not be our responsibility in my opinion.