Skip to main content
Solved

macOS Vulnerability: httpd

R
Forum|alt.badge.img+7
  • R_C
  • Contributor
  • 44 replies

One of the many tasks under my scope is patching of vulnerabilities on macOS systems. Recently every single machine has been flagged for having a vulnerable version of "httpd" to which there doesn't appear to be a path toward remediation aside from upgrading to Big Sur.

Alternatively I have been digging through options to see whether I could create an extension attribute which would check and alert me of any systems that have apache running. Sadly all command line options seem to be a dead end as the likely option of running "sudo apachectl status" will just return the following "Go to http://localhost:80/server-status in the web browser of your choice.
Note that mod_status must be enabled for this to work."

Has anyone else had to deal with addressing this vulnerability, and how have you gone about remediating the issue?

Apache 2.4.x < 2.4.46 Multiple Vulnerabilities
(Report on Tenable's website regarding the vulnerability)
https://www.tenable.com/plugins/nessus/139574

Upgrade or Remove Apache Web Server - macOS Catalina
(Thread on Apple's Discussion board of someone in the same boat)
https://discussions.apple.com/thread/252669979

macOS Catalina how to upgrade the Apache httpd
(Another thread on Apple's Discussion board of someone in the same boat)
https://discussions.apple.com/thread/252546898

Best answer by R_C

BS071 wrote:

Hey @R_C 

What wound up happening with this at your org? 

 

We're also using Tenable and this (along with newer versions) are being flagged as a high. Curious to know if this was a false-positive for MacOS endpoints and how you handled


It's somewhat of a false positive. Whereas it is a vulnerability, httpd is default disabled unless otherwise enabled.

 

Command to Disable Apache\\httpd

/bin/launchctl disable system/org.apache.httpd

 

Command to check whether Apache\\httpd is enabled:

/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true'

 

View original
Did this topic help you find an answer to your question?

10 replies

M
Forum|alt.badge.img+12
  • mschroder
  • Valued Contributor
  • 359 replies
  • May 10, 2021

Are these Macs using the httpd, or are you simply worried because it is installed? From the "Go to http://localhost:80/server-status in the web browser of your choice. Note that mod_status must be enabled for this to work." I would conclude that apache is not running on that device.

boberito
Forum|alt.badge.img+22
  • boberito
  • Jamf Heroes
  • 449 replies
  • May 10, 2021

https://github.com/usnistgov/macos_security/blob/main/rules/os/os_httpd_disable.yaml

Here's a check and remediation for seeing if Apache is running.

R
jmahlman
2 people like this
  • R
    R_C
  • jmahlman
    jmahlman
H
Forum|alt.badge.img+5
  • harsha
  • Contributor
  • 63 replies
  • October 5, 2021

May I know how to deploy the patch management?

B
Forum|alt.badge.img+1
  • BS071
  • New Contributor
  • 3 replies
  • October 20, 2021

Hey @R_C 

What wound up happening with this at your org? 

 

We're also using Tenable and this (along with newer versions) are being flagged as a high. Curious to know if this was a false-positive for MacOS endpoints and how you handled

R
Forum|alt.badge.img+7
  • R_C
  • Author
  • Contributor
  • 44 replies
  • Answer
  • October 20, 2021
BS071 wrote:

Hey @R_C 

What wound up happening with this at your org? 

 

We're also using Tenable and this (along with newer versions) are being flagged as a high. Curious to know if this was a false-positive for MacOS endpoints and how you handled


It's somewhat of a false positive. Whereas it is a vulnerability, httpd is default disabled unless otherwise enabled.

 

Command to Disable Apache\\httpd

/bin/launchctl disable system/org.apache.httpd

 

Command to check whether Apache\\httpd is enabled:

/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true'

 

glzkDOC
1 person likes this
  • glzkDOC
    glzkDOC
R
Forum|alt.badge.img+1
  • RNCNetops
  • New Contributor
  • 3 replies
  • June 22, 2022

Is there a way to patch it or better remove it?

 

R
Forum|alt.badge.img+7
  • R_C
  • Author
  • Contributor
  • 44 replies
  • July 21, 2022
RNCNetops wrote:

Is there a way to patch it or better remove it?

 


Apparently only if you want to disable SIP and try to update the files but that creates entirely new issues.

Best way is to just upgrade the OS to Big Sur or Monterey. Considering that Catalina will be EOL in a few months, that would be the easiest method.

 

Additionally, apache may be installed in the machine but is disabled by default. So long as you keep it disabled, there should be minimal concern.

dvasquez
Forum|alt.badge.img+16
  • dvasquez
  • Valued Contributor
  • 318 replies
  • January 25, 2023
R_C wrote:

It's somewhat of a false positive. Whereas it is a vulnerability, httpd is default disabled unless otherwise enabled.

 

Command to Disable Apache\\httpd

/bin/launchctl disable system/org.apache.httpd

 

Command to check whether Apache\\httpd is enabled:

/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true'

 


@R_C  this was helpful:

/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true'

I also set up an extension attribute to help with the status of my managed laptops, maybe this will help someone: (be warrened it is nothing fancy)

#!/bin/bash

status=$(/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true')
echo "<result>$status</result>"

 

 

 

N30
Forum|alt.badge.img+4
  • N30
  • Contributor
  • 13 replies
  • February 7, 2023

Since Apple MacOS Monterey 12.6.2 comes with the latest apache version 2.4.54, best way is to update your MacOS to the latest Monterey (MacOS Monterey 12.6.3).

dvasquez
Forum|alt.badge.img+16
  • dvasquez
  • Valued Contributor
  • 318 replies
  • February 9, 2023

You can setup detection for this in Jamf Pro with an extension attribute but also you can verify the version using this command:

/usr/sbin/httpd -v

 I am running macOS Ventura 13.2 and my version is:

Server version: Apache/2.4.54 (Unix)
Server built: Dec 16 2022 22:01:38

Hope this helps!

R
N30
2 people like this
  • R
    R_C
  • N30
    N30

Reply


Most helpful members this week

Terms & ConditionsCookie settingsAccessibility statement

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings