The Apache 2.4.x < 2.4.52 Multiple Vulnerabilities when detected with a vulnerability scanner will report it as a CVSS 9.8 (v3).


The Apache 2.4.x < 2.4.53 Multiple Vulnerabilities when detected with a vulnerability scanner will report it as a CVSS 9.8 (v3).


CVSS:

CVSS is a scoring system for vulnerability systems, its an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:

The Vulnerability Information

The Apache software causing this vulnerability is installed and bundled with all Apple MacOS devices by default for all versions as well (Catalina, Bigsur, Monterey etc.).

The application is installed but is disabled by default and is not active. However the manufacturer does not provide updates for this application along with the OS updates.


Remediation

For the purpose of Cyber Essentials Plus assessment, this vulnerability is not considered as it as the manufacturer does not provide updates for it and also is disabled by default.

Command to Disable Apache\httpd

/bin/launchctl disable system/org.apache.httpd

Command to check whether Apache\httpd is enabled:

/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true'

Did this answer your question?