VoIP Detective is built on Alma Linux (earlier versions were built on Centos Linux).  From there we run other software, such as Apache, MariaDB, and PHP on top (commonly known as the LAMP stack).  Occasionally, there are requests to upgrade the underlying OS, usually to patch a security vulnerability.  

VoIP Detective OS version versus Linux OS version : Each VoIP Detective VM has a "VoIP Detective OS version" that can be found on the Administrator -> System Status page.  This OS version references the drivers and settings that were build into that virtual machine, and is different from the Linux OS (which can be updated as described below).  The VoIP Detective OS version cannot be upgraded, however you can migrate to a new VoIP Detective VM.

VoIP Detective OS version 2.7 and up of VoIP Detective offers an easy to use command line way of upgrading the OS. 

Upgrading VoIP Detective versus upgrading the OS:

It is easy to upgrade the VoIP Detective produce through the GUI, by going to Administration -> Update.  This will allow you to run the latest version of the VoIP Detective software.  This article however is aimed at upgrading the underlying Linux appliance - similar to upgrading Windows (the OS), as opposed to upgrading Microsoft Office (VoIP Detective software).

OS Upgrade procedure:

  1. Log into the VoIP Detective CLI (command line interface).  This can be done by using an SSH client (such as putty), or by using the VMware or Hyper-V console.  You should use the username cliadmin (password can be found here).
  2. From the menu, choose the option "update Linux OS"
  3. Choose the option that you'd like to upgrade.  Commonly, customers would choose to update the components of the OS (yum update), which is what we will do in this instance.
  4. You may be prompted to re-enter the cliadmin password
  5. You'll likely be prompted to press Enter to complete the upgrade
  6. Apache should be automatically restarted
  7. Generally the change is immediate, however depending on the update you are performing, you may need to reboot the virtual machine.

Important note about updating only Apache:

It is possible, using the command line interface, to upgrade only apache, however, if you are using SSL (i.e. https) on your VoIP Detective installation, this may cause problems.  If only Apache is upgraded, but not the modules that allow for SSL, then Apache may fail to start.  If after upgrading only Apache, your VoIP Detective displays a broken, or only white page, please go back into the command line interface and choose the OS upgrade option to upgrade all components of the OS.  This will upgrade the modules that power Apache.

Version numbers and backporting:

Security scanners often probe systems, looking for version numbers, taking the reported version number and comparing it to a list of what they consider to be vulnerable versions.  This is a valid method in many scenarios, however can cause problems when it comes to the world of Linux.

Backporting is when a software patch or update is taken from a recent software version and applied to an older version of the same software.  A backport is most commonly used to address security flaws in legacy software or older versions of the software that are still supported by the developer. In many cases, the user maintains the older version of the software because the newer version has stability issues or may be incompatible with downstream applications.

This means that your security scanner may alert to an older version of Apache, PHP, or openSSL, however in reality, this software has been patched against the most recent vulnerabilities, yet retains it's old version number.

How can I tell if VoIP Detective is patched against the most recent exploits?

First, make sure you are running the latest version of VoIP Detective (Administration -> Update)

Next, update your operating system using the above guide.  

Log into the CLI again, and go to the "update linux OS" section.  

Choose option 9 for "package information"

Next choose the package you are interested in.  This will output a file (you may need to scroll back through the output) that outlines all of the patches that have been backported to your current installation.  You'll notice that while the version number for your software may appear old, there are likely recent patches that have been applied.

If you would like more information about backporting, please look at the following:

Crowdstrike.com : What is Backporting?

Redhat.com : What is backporting, and how does it apply to RHEL and other Red Hat products?