Apache 2

Tenable plugin 201198 is a bundle alert for Apache HTTP Server versions before 2.4.60, pulling in eight issues from the 2024-07-01 upstream advisory. The headline risk driver is CVE-2024-38475, where unsafe mod_rewrite substitutions in server/vhost context can let an unauthenticated attacker map a URL to a filesystem path that Apache is allowed to serve, leading to source disclosure or code execution. The bundle also includes config-specific issues in mod_proxy, mod_rewrite, backend-header handling, a Windows-only UNC/NTLM leak, and one HTTP/2 WebSocket DoS that only affects 2.4.55 through 2.4.59.

The vendor CRITICAL label is too broad for fleet-wide prioritization. In practice, most of these bugs are only reachable if you have the right module mix and a fragile configuration pattern; version alone is not the exploit path. But this is not a routine downgrade to MEDIUM, because CVE-2024-38475 was added to CISA KEV on 2025-05-01, public testing tools exist, and Apache is common on internet-facing systems. For a 10,000-host estate, treat this as HIGH overall, then immediately carve out a smaller urgent subset: internet-facing Apache with mod_rewrite/mod_proxy, reverse-proxy roles, Windows Apache, and appliance-like embeds.

Why this verdict

• Baseline down from vendor CRITICAL: Tenable's bundle severity inherits worst-case CVSS from one path, but the plugin covers eight bugs with very different prerequisites and impact.
• Config gates matter: meaningful exploitation usually requires mod_rewrite, mod_proxy, exploitable backend headers, Windows UNC behavior, or HTTP/2 WebSocket handling. Each prerequisite sharply reduces the real exposed population.
• Scanner certainty is low: plugin 201198 is explicitly version-only, so it will flag backported distro packages and cannot prove the dangerous rewrite/proxy condition exists.
• KEV pulls it back up: CVE-2024-38475 entered CISA KEV on 2025-05-01, so this is no longer just a lab-grade misconfiguration class.
• Blast radius varies by role: internet-facing reverse proxies and embedded/appliance Apache deserve top attention; internal static-content nodes do not carry the same urgency.

Why not higher?

This is not a clean pre-auth RCE against every Apache < 2.4.60 host. The attacker usually needs a deployment-specific rule pattern or module combination, and many enterprise scanners cannot distinguish a truly exploitable config from a merely old version string. That configuration dependence is too much friction for a blanket CRITICAL across a big fleet.

Why not lower?

KEV status changes the math. Once a vulnerability in the bundle is confirmed exploited in the wild and public tooling exists, you cannot treat the whole item as routine patch hygiene—especially on internet-facing Apache, proxy roles, and embedded products. Apache's prevalence also means the reachable subset can still be operationally significant.

1. Triage internet-facing Apache first — Immediately isolate the hot subset: external Apache, reverse proxies, app gateways, and embedded/appliance uses. Because CVE-2024-38475 is KEV-listed, apply this compensating control immediately, within hours, not on a routine 30-day cycle.
2. Review and constrain server-context RewriteRules — Audit VirtualHost and global config for RewriteRule substitutions beginning with backreferences or variables and for rules that can resolve to filesystem paths or unexpected handlers. Remove or hard-constrain those patterns immediately, within hours on exposed systems; this directly attacks the main exploitation prerequisite.
3. Reduce proxy ambiguity — Lock down mod_proxy mappings, reject malformed/encoded URLs before backend forwarding, and avoid trusting backend-supplied redirect or content-type behavior where local handlers can be reached. Deploy within hours for exposed proxy tiers and complete the broader review within 30 days for the rest of the HIGH-class fleet.
4. Block outbound SMB from Windows Apache — For Windows-based Apache, prevent outbound SMB/445 and UNC-style access except where explicitly required. This strips most value from the UNC/NTLM leakage path and should be enforced immediately, within hours if any Windows Apache exists.
5. Use local config-aware verification — Do not accept version-only scanner output as proof. Run local verification against package provenance, loaded modules, and rewrite/proxy config so you can separate true exposure from distro backports and low-risk nodes within 30 days across the full affected inventory.

Run this on the target Apache host as root or with read access to Apache config directories. Save as check_apache_201198.sh and run sudo bash check_apache_201198.sh /etc/apache2 or sudo bash check_apache_201198.sh /etc/httpd; it checks local version/package context, loaded modules, and looks for risky RewriteRule patterns tied to the main exploit path.

#!/usr/bin/env bash
# check_apache_201198.sh
# Purpose: Assess likely exposure to Tenable plugin 201198 / Apache < 2.4.60 bundle.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

CFG_ROOT="${1:-}"

have_cmd() { command -v "$1" >/dev/null 2>&1; }

ver_lt() {
  # returns 0 if $1 < $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ]
}

find_httpd_bin() {
  for b in apache2 httpd apachectl apache2ctl; do
    if have_cmd "$b"; then
      echo "$b"
      return 0
    fi
  done
  return 1
}

HTTPD_BIN="$(find_httpd_bin)"
if [ -z "${HTTPD_BIN:-}" ]; then
  echo "UNKNOWN - Apache binary not found in PATH"
  exit 2
fi

VERSION_RAW="$($HTTPD_BIN -v 2>/dev/null | grep -Eo 'Apache/[0-9]+\.[0-9]+\.[0-9]+' | head -n1 | cut -d/ -f2)"
if [ -z "$VERSION_RAW" ]; then
  echo "UNKNOWN - Could not determine Apache version"
  exit 2
fi

# Collect package info where possible for distro backport clues.
PKG_INFO=""
if have_cmd dpkg-query; then
  PKG_INFO="$(dpkg-query -W -f='${Package} ${Version}\n' apache2 2>/dev/null | head -n1)"
elif have_cmd rpm; then
  PKG_INFO="$(rpm -q httpd 2>/dev/null | head -n1)"
fi

# Fixed-by-backport heuristics for common Ubuntu package lines from vendor advisory pages.
if echo "$PKG_INFO" | grep -Eq 'apache2 2\.4\.58-1ubuntu8\.2|apache2 2\.4\.52-1ubuntu4\.10|apache2 2\.4\.41-4ubuntu3\.19|apache2 2\.4\.57-2ubuntu2\.5|apache2 2\.4\.62-1ubuntu1'; then
  echo "PATCHED - Distro package appears to include backported fix ($PKG_INFO)"
  exit 0
fi

# Upstream version >= 2.4.60 means patched for this advisory bundle.
if ! ver_lt "$VERSION_RAW" "2.4.60"; then
  echo "PATCHED - Apache version $VERSION_RAW is >= 2.4.60"
  exit 0
fi

# If config root wasn't supplied, try common locations.
if [ -z "$CFG_ROOT" ]; then
  for d in /etc/apache2 /etc/httpd /usr/local/etc/apache2 /usr/local/apache2/conf; do
    if [ -d "$d" ]; then
      CFG_ROOT="$d"
      break
    fi
  done
fi

if [ -z "${CFG_ROOT:-}" ] || [ ! -d "$CFG_ROOT" ]; then
  echo "UNKNOWN - Apache version $VERSION_RAW is < 2.4.60, but config directory was not found. Package: ${PKG_INFO:-none}"
  exit 2
fi

# Build a quick view of loaded modules.
MODULES="$($HTTPD_BIN -M 2>/dev/null || true)"
HAS_REWRITE=0
HAS_PROXY=0
HAS_HTTP2=0
if echo "$MODULES" | grep -q 'rewrite_module'; then HAS_REWRITE=1; fi
if echo "$MODULES" | grep -Eq 'proxy_module|proxy_http_module|proxy_fcgi_module|proxy_ajp_module'; then HAS_PROXY=1; fi
if echo "$MODULES" | grep -Eq 'http2_module|h2_module'; then HAS_HTTP2=1; fi

# Look for risky rewrite rules in server/vhost context.
# This is heuristic, not a full Apache parser.
RISKY_REWRITE=0
if [ "$HAS_REWRITE" -eq 1 ]; then
  if grep -RIEq '^[[:space:]]*RewriteRule[[:space:]].*[[:space:]](\$[0-9]+|%\{[^}]+\})' "$CFG_ROOT" 2>/dev/null; then
    RISKY_REWRITE=1
  fi
fi

# Look for broad indicators of potentially exposed CGI/script content.
SCRIPT_HANDLER=0
if grep -RIEq 'AddHandler[[:space:]].*(cgi-script|php)|SetHandler[[:space:]].*(proxy:fcgi|application/x-httpd-php|cgi-script)' "$CFG_ROOT" 2>/dev/null; then
  SCRIPT_HANDLER=1
fi

WINDOWS_HOST=0
case "$(uname -s 2>/dev/null)" in
  CYGWIN*|MINGW*|MSYS*) WINDOWS_HOST=1 ;;
esac

# Decision logic.
if [ "$RISKY_REWRITE" -eq 1 ]; then
  echo "VULNERABLE - Apache $VERSION_RAW with mod_rewrite and risky RewriteRule patterns under $CFG_ROOT"
  exit 1
fi

if [ "$HAS_PROXY" -eq 1 ] || [ "$HAS_HTTP2" -eq 1 ] || [ "$SCRIPT_HANDLER" -eq 1 ] || [ "$WINDOWS_HOST" -eq 1 ]; then
  echo "UNKNOWN - Apache $VERSION_RAW is in affected range and risky modules/features are present, but no definitive vulnerable rule was proven. Review config manually. Package: ${PKG_INFO:-none}"
  exit 2
fi

echo "UNKNOWN - Apache $VERSION_RAW is in affected range, but the main exploit prerequisites were not observed automatically. Package: ${PKG_INFO:-none}"
exit 2

Sources

1. Tenable Nessus Plugin 201198
2. Apache HTTP Server 2.4 vulnerabilities advisory
3. NVD CVE-2024-38475
4. oss-security advisory for CVE-2024-38475
5. CISA alert adding CVE-2024-38475 to KEV
6. Black Hat USA 2024 Confusion Attacks slides
7. GitHub PoC / testing toolkit
8. Ubuntu CVE page showing backported fixes