Security scan rating is F yet Nextcloud version is latest

When I perform a security scan on my Nextcloud server, instead of being A+ it is now F.

The scan says I have the latest patch level but that the major version is NOT supported.

There is a statement saying…

“Your version is end-of-life and is very likely affected by many vulnerabilities. Unfortunately, security advisories are not available for a such outdated version, thus we cannot create an automated list of vulnerabilities. You should update as soon as possible.”

I cannot update Nextcloud because it says my version is up to date.

Is the problem because I am using Ubuntu 20.04.6, do I need to upgrade to 24.04 ?

Nextcloud version: 25.0.13.2
Operating system and version: Ubuntu 20.04.6 LTS
Apache or nginx version: Apache 2.4.41
PHP version: PHP 7.4.3

You can not directly upgrade from Ubuntu 20.04 LTS to Ubuntu 24.04 LTS. You must first dist-upgrade from Ubuntu 20.04 LTS to Ubuntu 22.04 LTS. That is because of here possible with your actual Nextcloud 25.

After dist-upgrade to Ubuntu 22.04 LTS upgrade from Nextcloud 25 to Nextcloud 26. Then to Nextcloud 27, 28 and 29. Nextcloud 29 supports Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. Then you can e.g. dist-upgrade from Ubuntu 22.04 LTS to Ubuntu 24.04 LTS.

[old part deleted because requirement of PHP > 7.4 (e.g. PHP 8.0) for Nextcloud 26]

2 Likes

Another common approach is the Sury PHP packages: https://deb.sury.org/

These offer some additional flexibility with regard to PHP versions across different versions of Ubuntu and Debian, which can be helpful on some of the older versions of these distributions in particular.

1 Like

Thanks devnull

Just to clarify, the reason for the F rating is because my Ubuntu version is 20.04 then ?

I’ve never performed an upgrade on Ubuntu, I put it off because I was worried it would break things.

Not just Nextcloud, but other software I am using such as Plex etc.

Is it easy to upgrade Ubuntu from 20.04 to 24.04 ? Is there a good chance it would break things ?

You must first upgrade to Ubuntu 22.04 LTS.

1 Like

Technically, no. It’s because you’re running an old version of Nextcloud Server that reached end of support long ago. And the reason you’re stuck on that version of Nextcloud Server is because of your old (also, technically unsupported) version of PHP which is preventing an upgrade of a newer Nextcloud Server version.

You can either:

  • upgrade your Ubuntu host now to a more current version which will contain a somewhat newer PHP in it. This will enable you to upgrade Nextcloud.
  • upgrade PHP on most any version of Ubuntu out there using the Sury packages (these are well known and respected and distributed by the maintainer of the official Ubuntu PHP packages: How to install/upgrade PHP 8.2 on Debian and Ubuntu systems • PHP.Watch

You will need to upgrade your Ubuntu version at some point either way to continue receive security updates and bug fixes for your OS in general. And @devnull provided some resources / ideas for that path.

Hope that helps.

2 Likes

Thanks all, I will look into upgrading Ubuntu when I get chance.

In the meantime, I am concerned about the F rating as it says “This server version is end of life and has no security fixes anymore. It is likely trivial to break in and steal all the data or even take over the entire server.”

I want to disable Nextcloud to mitigate this risk, so I have put Nextcloud into maintenance mode. Is this enough or is it still a risk ? If its still a risk, is there another way I can temporarily disable Nextcloud to mitigate the risk ?

Is it really a safety risk? First of all, someone has to come up with the idea of attacking exactly one of the hundreds of thousands of Nextclouds. If you want the data to be accessible via the Internet, you can also get a managed Nextcloud from a hoster. The hoster will then take care of the Nextcloud. You do the same with your email provider. And you could have really important data inaccessible at home even without Nextcloud, e.g. on a NAS or a USB hard drive.

Why don’t you just update your Nextcloud and your Ubuntu? Surely you also regularly install updates for applications and the operating system on your Windows computer, right?

As with your important Windows computer, you should of course make a backup before every update.

1 Like

maintenance mode is handled on the application layer - you can not use Nextcloud anymore but all the outdated stack - webserver, php is still available and could be attacked. As you can’t use the application at all I would shut down the webserver to fully mitigate the security risk. but before you think about mitigation of theoretical security risks I would simply upgrade the system :wink: and in case you are not aware there is a wonderful script for easy php upgrades Php-updater - a script to upgrade php in a safe way

2 Likes

I advise against using the script in the case of @freeflyer. The PHP version is not the problem. Nextcloud and Ubuntu need to be updated. It is unnecessary to get an additional source.

Start with:
sudo -u www-data php /path/to/nextcloud/updater/updater.phar
documentation

Maintenance and Release Schedule (Nextcloud 28 and Nextcloud 29 are maintained)

1 Like

@freeflyer
I had another look. If you do not want to use a PHP version from a third-party source, you must first update to Ubuntu 22.04 LTS. I have adjusted my post above accordingly.

1 Like

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.