A large number of Apache web server vulnerabilities appear to be present across the education sector; based on intelligence from multiple sources. Some of the vulnerabilities were disclosed back in 2011, and some have Critical CVSS scores.

emPSN is not currently able to carry out network wide discovery scans for these issues, due to: the number of vulnerabilities reported, challenges in verifying the issues without attempting to exploit the issues, and many Apache vulnerabilities being dependent on specific modules or configurations being enabled to be applicable.

emPSN members are strongly advised to review any Apache web servers they have, both externally and internally exposed, and ensure that robust patching and validation processes are in place around these, and other, systems.

The NCSC have a web check service which will assist in testing, details of the service is available here – This service will report a number of common vulnerabilities, but it will not perform deep dive scans available through commercially available tools.

If you have any questions or concerns about this advisory, please contact the team on support@empsn.org.uk