Apache 2

CVE-2023-31122 is an out-of-bounds read in Apache HTTP Server's mod_macro, affecting upstream Apache httpd through 2.4.57 and fixed in 2.4.58. mod_macro is a configuration macro-expansion module: Apache's own docs say macros are expanded *when the server starts up*, so this bug lives in config parsing rather than normal request handling. If mod_macro is not loaded, this CVE does not apply.

The vendor-vs-reality gap is wide here. NVD scored it 7.5/HIGH with a generic network-DoS vector, but Apache itself labeled it low, and that is much closer to operational truth: an attacker usually needs more than raw HTTP reachability to matter here, because they must get Apache to parse attacker-controlled macro content in config or .htaccess-like paths first. For most enterprises, that means this is post-compromise or tenant-misconfiguration territory, not a clean unauthenticated internet exploit.

Why this verdict

• Config-parser, not request-parser: Apache documents mod_macro expansion at startup/config processing time, which breaks the usual 'send one HTTP request from the internet' assumption behind the 7.5 score.
• Requires narrower attacker position: to matter in real life, the attacker typically needs config write/influence, .htaccess control, or equivalent delegated admin access. That implies post-initial-access or a special hosting model, which is strong downward pressure on severity.
• Population is much smaller than Apache-at-large: internet scanning can find old Apache versions, but it generally cannot prove mod_macro is enabled. That makes the truly reachable population much smaller than the visible banner population.

Why not higher?

There is no solid evidence here of unauthenticated remote code execution, no KEV listing, and no trustworthy sign of broad exploitation campaigns. The biggest reason not to go higher is that raw network access to port 80/443 is usually insufficient by itself.

Why not lower?

It is still a real memory-safety bug in a widely deployed product family, and some environments do let untrusted users influence Apache config fragments or .htaccess. If you run shared hosting, delegated web content management, or permissive override models, the risk is non-zero and worth cleaning up.

1. Inventory mod_macro usage — Identify which Apache nodes actually load macro_module and document where macros are used. For a LOW verdict there is no SLA (treat as backlog hygiene), but do this in the next routine audit so you can sharply reduce false-positive exposure.
2. Lock down config write paths — Restrict write access to Apache configs, included snippets, and web roots that can carry .htaccess files; alert on drift with FIM or EDR. For a LOW verdict there is no SLA (treat as backlog hygiene), but this control matters more than rushing a fleet-wide emergency patch.
3. Reduce override usage — Where possible, disable or narrowly scope AllowOverride so untrusted content paths cannot introduce Apache directives that must be parsed at request time. For a LOW verdict there is no SLA (treat as backlog hygiene) and this is mainly about shrinking reachability.

Run this on the target Apache host as a local administrator or with sudo, because it reads runtime module state and package metadata. Example: sudo bash check_cve_2023_31122.sh; it needs enough privilege to run apachectl -M/httpd -M and query the package manager.

#!/usr/bin/env bash
# check_cve_2023_31122.sh
# Determine likely exposure to CVE-2023-31122 (Apache mod_macro buffer over-read)
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

fixed_upstream="2.4.58"
status="UNKNOWN"
reason=""
ctl=""
mod_output=""
server_version=""
pkg_info=""

have_cmd() { command -v "$1" >/dev/null 2>&1; }

ver_ge() {
  # returns 0 if $1 >= $2
  [ "$(printf '%s\n%s\n' "$2" "$1" | sort -V | head -n1)" = "$2" ]
}

find_ctl() {
  for c in apache2ctl apachectl httpd; do
    if have_cmd "$c"; then
      ctl="$c"
      return 0
    fi
  done
  return 1
}

get_server_version() {
  local out=""
  if [ -n "$ctl" ]; then
    out="$($ctl -v 2>/dev/null || true)"
    server_version="$(printf '%s' "$out" | sed -n 's/.*Apache\/\([0-9][0-9.]*\).*/\1/p' | head -n1)"
  fi
}

get_module_list() {
  if [ -n "$ctl" ]; then
    mod_output="$($ctl -M 2>/dev/null || true)"
  fi
}

get_pkg_info() {
  if have_cmd dpkg-query; then
    pkg_info="$(dpkg-query -W -f='${Package} ${Version}\n' apache2 apache2-bin 2>/dev/null || true)"
  elif have_cmd rpm; then
    pkg_info="$(rpm -q httpd apache2 2>/dev/null || true)"
  fi
}

package_has_fixed_backport() {
  # Known fixed Debian LTS package from advisory
  printf '%s\n' "$pkg_info" | grep -Eq 'apache2(\-bin)? 2\.4\.59-1~deb10u1' && return 0
  return 1
}

main() {
  find_ctl || true
  get_server_version
  get_module_list
  get_pkg_info

  if package_has_fixed_backport; then
    echo "PATCHED - package backport detected ($pkg_info)"
    exit 0
  fi

  if [ -z "$mod_output" ]; then
    echo "UNKNOWN - could not retrieve loaded Apache modules"
    exit 2
  fi

  if ! printf '%s\n' "$mod_output" | grep -Eq 'macro_module'; then
    echo "PATCHED - mod_macro is not loaded, CVE-2023-31122 does not apply"
    exit 0
  fi

  if [ -z "$server_version" ]; then
    echo "UNKNOWN - mod_macro is loaded but Apache version could not be determined"
    exit 2
  fi

  if ver_ge "$server_version" "$fixed_upstream"; then
    echo "PATCHED - Apache $server_version with mod_macro loaded is at or above $fixed_upstream"
    exit 0
  fi

  echo "VULNERABLE - Apache $server_version is below $fixed_upstream and mod_macro is loaded"
  exit 1
}

main "$@"

Sources

1. Apache HTTP Server 2.4 vulnerabilities
2. NVD CVE-2023-31122
3. Openwall oss-security post for CVE-2023-31122
4. Apache mod_macro documentation
5. Debian LTS advisory DLA-3818-1
6. CISA Known Exploited Vulnerabilities Catalog
7. Bitsight CVE-2023-31122 observation footprint
8. Bitsight Apache HTTP Server 2.4.57 observation footprint