macOS Vulnerability: httpd

R_C
Contributor

One of the many tasks under my scope is patching of vulnerabilities on macOS systems. Recently every single machine has been flagged for having a vulnerable version of "httpd" to which there doesn't appear to be a path toward remediation aside from upgrading to Big Sur.

Alternatively I have been digging through options to see whether I could create an extension attribute which would check and alert me of any systems that have apache running. Sadly all command line options seem to be a dead end as the likely option of running "sudo apachectl status" will just return the following "Go to http://localhost:80/server-status in the web browser of your choice.
Note that mod_status must be enabled for this to work."

Has anyone else had to deal with addressing this vulnerability, and how have you gone about remediating the issue?

Apache 2.4.x < 2.4.46 Multiple Vulnerabilities
(Report on Tenable's website regarding the vulnerability)
https://www.tenable.com/plugins/nessus/139574

Upgrade or Remove Apache Web Server - macOS Catalina
(Thread on Apple's Discussion board of someone in the same boat)
https://discussions.apple.com/thread/252669979

macOS Catalina how to upgrade the Apache httpd
(Another thread on Apple's Discussion board of someone in the same boat)
https://discussions.apple.com/thread/252546898

1 ACCEPTED SOLUTION

It's somewhat of a false positive. Whereas it is a vulnerability, httpd is default disabled unless otherwise enabled.

 

Command to Disable Apache\httpd

/bin/launchctl disable system/org.apache.httpd

 

Command to check whether Apache\httpd is enabled:

/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true'

 

View solution in original post

10 REPLIES 10

mschroder
Valued Contributor

Are these Macs using the httpd, or are you simply worried because it is installed? From the "Go to http://localhost:80/server-status in the web browser of your choice. Note that mod_status must be enabled for this to work." I would conclude that apache is not running on that device.

boberito
Valued Contributor

https://github.com/usnistgov/macos_security/blob/main/rules/os/os_httpd_disable.yaml

Here's a check and remediation for seeing if Apache is running.

harsha
New Contributor III

May I know how to deploy the patch management?

BS071
New Contributor

Hey @R_C 

What wound up happening with this at your org? 

 

We're also using Tenable and this (along with newer versions) are being flagged as a high. Curious to know if this was a false-positive for MacOS endpoints and how you handled

It's somewhat of a false positive. Whereas it is a vulnerability, httpd is default disabled unless otherwise enabled.

 

Command to Disable Apache\httpd

/bin/launchctl disable system/org.apache.httpd

 

Command to check whether Apache\httpd is enabled:

/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true'

 

dvasquez
Valued Contributor

@R_C  this was helpful:

/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true'

I also set up an extension attribute to help with the status of my managed laptops, maybe this will help someone: (be warrened it is nothing fancy)

#!/bin/bash

status=$(/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true')
echo "<result>$status</result>"

 

 

 

RNCNetops
New Contributor

Is there a way to patch it or better remove it?

 

Apparently only if you want to disable SIP and try to update the files but that creates entirely new issues.

Best way is to just upgrade the OS to Big Sur or Monterey. Considering that Catalina will be EOL in a few months, that would be the easiest method.

 

Additionally, apache may be installed in the machine but is disabled by default. So long as you keep it disabled, there should be minimal concern.

N30
New Contributor III

Since Apple MacOS Monterey 12.6.2 comes with the latest apache version 2.4.54, best way is to update your MacOS to the latest Monterey (MacOS Monterey 12.6.3).

dvasquez
Valued Contributor

You can setup detection for this in Jamf Pro with an extension attribute but also you can verify the version using this command:

/usr/sbin/httpd -v 

 I am running macOS Ventura 13.2 and my version is:

Server version: Apache/2.4.54 (Unix)
Server built: Dec 16 2022 22:01:38

Hope this helps!