macosapachesecurityhomebrewnessus

Changing default Apache version on Mac OS

A security sweep of my network (using Nessus) revealed that my mac is running a version of Apache (2.4.46) with a few critical vulnerabilities. I've been told I need to upgrade to at least 2.4.47. I'm having issues getting MacOS to use the upgraded version over the default one:

  1. The default httpd is located at /usr/sbin/, which is read only even as root. As far as I'm aware upgrading the default Mac OS version is not a possibility.
  2. Installed a newer version of Apache (v2.4.48) using Homebrew. The homebrew version is located in /usr/local/bin/httpd and as long as /usr/local/bin is before /usr/sbin in the env path it should be the preferred version.
  3. Running httpd -v in the terminal returns v2.4.48, but the vulnerability scan is still picking up the old version of Apache

What am I missing? Why is the OS picking up the old version? Do I simply have to wait for Apple to patch it? Is it even possible to upgrade /usr/sbin/httpd?

Solution

  • Two things here, how to set the default apache version, and whether your machine is vulnerable.

    firstly, you can have multiple versions of apache installed, and even running simultaneously (listening on different ports). Installing homebrew apache, doesn't necessarily start the server automatically, or deactivate the default (apple) apache install.

    You can see which versions of apache are running on your system by using the ps command, for example on my machine:

    $ ps auxw | grep  httpd
_www               782   0.0  0.0 34153280   1476   ??  S    26May22   0:00.83 /usr/sbin/httpd -D FOREGROUND

    and check the version:

    $ /usr/sbin/httpd -v
Server version: Apache/2.4.53 (Unix)

    The apple httpd service is started by launchctl, and you can stop the apple httpd service from automatically starting up as follows:

    $ sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist

    To automatically start homebrew apache on system startup (assuming you have already installed it - brew install httpd), run brew services start httpd

    Remember that the apache configuration files will be in a different location - apple conf file is /etc/apache2/httpd.conf, whereas homebrew's is in /usr/local/etc/httpd/httpd.conf. Also the default port may well be different - apple defaults to port 80 whereas homebrew httpd listens on port 8080 by default.

    Secondly, does this security issue actually matter? By default apache listens on all network interface, but unless you need to access the web server from another machine, it is safer to configure it to only listen on localhost. You can do this in the httpd.conf file, as follows:

    Listen 127.0.0.1:80

    This page has a good walkthrough of the various steps: https://wpbeaches.com/installing-configuring-apache-on-macos-using-homebrew/