- Jamf Nation Community
- Products
- Jamf Pro
- Re: macOS Vulnerability: httpd
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-09-2021 04:35 PM
One of the many tasks under my scope is patching of vulnerabilities on macOS systems. Recently every single machine has been flagged for having a vulnerable version of "httpd" to which there doesn't appear to be a path toward remediation aside from upgrading to Big Sur.
Alternatively I have been digging through options to see whether I could create an extension attribute which would check and alert me of any systems that have apache running. Sadly all command line options seem to be a dead end as the likely option of running "sudo apachectl status" will just return the following "Go to http://localhost:80/server-status in the web browser of your choice.
Note that mod_status must be enabled for this to work."
Has anyone else had to deal with addressing this vulnerability, and how have you gone about remediating the issue?
Apache 2.4.x < 2.4.46 Multiple Vulnerabilities
(Report on Tenable's website regarding the vulnerability)
https://www.tenable.com/plugins/nessus/139574
Upgrade or Remove Apache Web Server - macOS Catalina
(Thread on Apple's Discussion board of someone in the same boat)
https://discussions.apple.com/thread/252669979
macOS Catalina how to upgrade the Apache httpd
(Another thread on Apple's Discussion board of someone in the same boat)
https://discussions.apple.com/thread/252546898
Solved! Go to Solution.
Labels:
- Labels:
-
Patch Management
-
Security Management
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-20-2021 01:52 PM
It's somewhat of a false positive. Whereas it is a vulnerability, httpd is default disabled unless otherwise enabled.
Command to Disable Apache\httpd
/bin/launchctl disable system/org.apache.httpd
Command to check whether Apache\httpd is enabled:
/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true'
Reply
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-10-2021 01:23 AM
Are these Macs using the httpd, or are you simply worried because it is installed? From the "Go to http://localhost:80/server-status in the web browser of your choice. Note that mod_status must be enabled for this to work." I would conclude that apache is not running on that device.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-10-2021 11:54 AM
https://github.com/usnistgov/macos_security/blob/main/rules/os/os_httpd_disable.yaml
Here's a check and remediation for seeing if Apache is running.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-05-2021 02:01 AM
May I know how to deploy the patch management?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-20-2021 09:26 AM
Hey @R_C
What wound up happening with this at your org?
We're also using Tenable and this (along with newer versions) are being flagged as a high. Curious to know if this was a false-positive for MacOS endpoints and how you handled
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-20-2021 01:52 PM
It's somewhat of a false positive. Whereas it is a vulnerability, httpd is default disabled unless otherwise enabled.
Command to Disable Apache\httpd
/bin/launchctl disable system/org.apache.httpd
Command to check whether Apache\httpd is enabled:
/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true'
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-25-2023 02:12 PM
@R_C this was helpful:
/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true'
I also set up an extension attribute to help with the status of my managed laptops, maybe this will help someone: (be warrened it is nothing fancy)
#!/bin/bash
status=$(/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true')
echo "<result>$status</result>"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-22-2022 10:07 AM
Is there a way to patch it or better remove it?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-21-2022 03:10 PM
Apparently only if you want to disable SIP and try to update the files but that creates entirely new issues.
Best way is to just upgrade the OS to Big Sur or Monterey. Considering that Catalina will be EOL in a few months, that would be the easiest method.
Additionally, apache may be installed in the machine but is disabled by default. So long as you keep it disabled, there should be minimal concern.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-06-2023 04:48 PM
Since Apple MacOS Monterey 12.6.2 comes with the latest apache version 2.4.54, best way is to update your MacOS to the latest Monterey (MacOS Monterey 12.6.3).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-09-2023 08:59 AM
You can setup detection for this in Jamf Pro with an extension attribute but also you can verify the version using this command:
/usr/sbin/httpd -v
I am running macOS Ventura 13.2 and my version is:
Server version: Apache/2.4.54 (Unix)
Server built: Dec 16 2022 22:01:38
Hope this helps!
Reply
