Every once and a while our corporate vulnerability scanner finds a problem with the version of Apache running on the OS. Usually Apple will quickly release a patch to put the compliance folks at ease. Well, Apple has released two patches since this was found and no fix. Any guess if Apache will be updated to 2.4.56 in 13.4? Does anyone have the beta?
Here is the path
Path : /usr/sbin/httpd
Installed version : 2.4.54
Fixed version : 2.4.56
Two things:
No problem. Just making you aware of why you won't get an answer to your question. You may have better luck joining either an Apple public beta program or joining the Apple Developer Program to better understand what Apple has in store for future releases.
topazviper wrote:
If it is disabled, why even include it in the OS?
Because it's useful in many cases. Primarily it is useful as a developer tool. No sane person would put a public-facing website on a MacBook Pro. So the risk is that someone hacks themselves? Furthermore, only really good, technically savvy developers will be using the built-in Apache in the first place. Most developers will be using one of those 3rd party package like MAMP or Homebrew and they will be years out of date. Those devices would light up your security scanner like a Christmas tree.
It likely will be removed in the future if it becomes too much trouble, for example, if people keep reporting bugs about it because their "enterprise grade" security scanner complained. Apple has already removed Python and PHP. They tried to remove Perl once but apparently decided that was a bad idea.
Given that is disabled everywhere, there is not risk if the service is out of date
We are discussing corporate security software here. Please don't bring logic into the conversation.
Compliance doesn't care if there is a legitimate risk, the scanning tool says its bad, so its bad. Either you argue with the tool to state it isn't a problem, or Apple patches it :)
I'm sure Apple will patch it eventually, or remove it. But they will do that on their own schedule.
If anything, Apple is too quick to issue these patches. No other company has 1+ billion Unix devices on the market, all in various states of disrepair and misconfiguration. When Apple moves too quickly and introduces some bug, that's a critical breakage. It is one thing for a theoretical vulnerability that might impact only a few dozen people. It is something else to break all developer boxes used by competent Mac-based web developers. They have to get their work done and can't wait 4 months for Apple to fix it. They'll have to install a 3rd party option, introducing tons real real-world security and privacy risks.
In those rare cases that a "zero day" risk does pose a real problem, Apple will issue an emergency security fix. They do that all the time.
But you are correct that you can't argue with your tool. It is a vital part of checking off a box on your business insurance form. But as far as actual security goes, merely installing on a Mac to run the test will reduce your security. But now I'm the one bringing up logic!
The Apache server is disabled by default. If you have users running web servers from their Macs, the version vulnerability is the least of your problems.
Apple takes a practical approach to these things. Apache might get updated in 13.4 and might not. It probably will be updated in 14.0, or it might be deleted. No way to tell.
Compliance doesn't care if there is a legitimate risk, the scanning tool says its bad, so its bad. Either you argue with the tool to state it isn't a problem, or Apple patches it :)
Using a tool with no rational thought. Great plan. “We’re too incompetent to make a decision, so we won’t.”
Your option in this case is to stop using macOS. If your organization is so completely inflexible, you should be running a completely customizable OS like Unix or Linux.
It’s possible Apache is stored in a location that could be modified if you disable SIP. If that is the case, you could just remove it completely. It’s possible you don’t even need to disable SIP. I’m not at a Mac to check.
If you are spending enough money with Apple, you could possibly ask for a custom build, but I doubt anyone is spending that kind of money.
Thank you for this as well. A few thoughts:
Thank you! This is my first time posting here, and I have no idea how best to ask apple this question.
Apache 2.4.54 - time to update again....
