How to remediate – Apache HTTP Server Version

Contents

1. Introduction

The vulnerability is in Apache HTTP Server Version, where it’s possible to obtain the version number of the remote server. This allows attackers to fingerprint systems and identify known vulnerabilities for targeted attacks. It primarily affects publicly accessible web servers running Apache HTTP Server. A successful exploit could lead to information disclosure, potentially aiding further malicious activity against the system.

2. Technical Explanation

The vulnerability occurs because the Apache HTTP Server banner reveals its version number by default. An attacker can simply connect to the server and read this banner to determine the running version. There is no CVE associated with this specific information disclosure, but it’s a common reconnaissance step in attacks. For example, an attacker could use `curl -I ` or similar tools to retrieve the HTTP headers containing the server version. Affected versions are those where the default banner configuration remains unchanged.

Root cause: The Apache HTTP Server includes a default banner that displays its version number.
Exploit mechanism: An attacker connects to the server and reads the HTTP response header, specifically looking for the ‘Server’ field which contains the version information.
Scope: All publicly accessible instances of Apache HTTP Server are potentially affected.

3. Detection and Assessment

You can confirm if a system is vulnerable by checking the server banner. A quick check involves connecting to the web server and examining the response headers. For thorough assessment, you can use port scanning tools or vulnerability scanners.

Quick checks: Use `curl -I ` in a terminal. Look for the ‘Server’ header in the output.
Scanning: Nessus plugin ID 10423 (Apache HTTP Server Version Detection) can identify this issue as an example.
Logs and evidence: Web server access logs may show requests to various URLs, but won’t directly indicate banner exposure.

curl -I https://example.com

4. Solution / Remediation Steps

The solution involves configuring Apache HTTP Server to hide its version number in the server banner. This reduces the information available to potential attackers.

4.1 Preparation

Ensure you have access to edit the Apache configuration file (typically `httpd.conf` or `apache2.conf`). A roll back plan is to restore the original configuration file and restart the service.
Change control approval may be required depending on your organization’s policies.

4.2 Implementation

Step 1: Edit the Apache configuration file (e.g., `httpd.conf` or `apache2.conf`).
Step 2: Add or modify the `ServerTokens Prod` directive in the main configuration section.
Step 3: Save the changes to the configuration file.
Step 4: Restart the Apache service to apply the new configuration (e.g., `sudo systemctl restart apache2`).

4.3 Config or Code Example

Before

ServerTokens OS

After

ServerTokens Prod

4.4 Security Practices Relevant to This Vulnerability

Practices like minimizing information disclosure and maintaining a patch cadence are relevant to this vulnerability type. Least privilege can also reduce the impact if an attacker gains access. For example, reducing exposed attack surface by disabling unnecessary modules or features.

Practice 1: Minimize information disclosure to limit the data available to attackers.
Practice 2: Maintain a regular patch cadence to address known vulnerabilities promptly.

4.5 Automation (Optional)

Automation is not directly applicable for this specific vulnerability, as it requires modifying configuration files. However, you can use configuration management tools like Ansible or Puppet to automate the process of updating `ServerTokens` across multiple servers.

# Example Ansible task (requires appropriate permissions and module setup)
- name: Set ServerTokens to Prod in Apache config
  lineinfile:
    path: /etc/apache2/apache2.conf # Adjust path as needed
    regexp: '^ServerTokens'
    line: 'ServerTokens Prod'
  notify: Restart Apache

5. Verification / Validation

Post-fix check: Use `curl -I ` and verify that the ‘Server’ header only shows “Apache” without any version details.
Re-test: Re-run the earlier detection method (using `curl -I`) to confirm the version information is no longer exposed.
Smoke test: Access a standard web page served by the Apache server (e.g., the default welcome page) to ensure it loads correctly.

curl -I https://example.com

6. Preventive Measures and Monitoring

Baselines: Update your security baseline to require setting `ServerTokens Prod`.
Pipelines: Add a check in your CI/CD pipeline to validate the Apache configuration file for this setting.
Asset and patch process: Implement a regular review cycle (e.g., monthly) to ensure configurations remain secure.

7. Risks, Side Effects, and Roll Back

The main risk is potential compatibility issues with applications that rely on the detailed server version information. However, this is rare. The side effect may be reduced debugging information in some cases. To roll back, restore the original Apache configuration file and restart the service.

Risk or side effect 1: Compatibility issues with applications relying on specific server versions (unlikely).
Roll back: Restore the original `httpd.conf` or `apache2.conf` file from backup, then restart the Apache service (`sudo systemctl restart apache2`).

8. References and Resources

Vendor advisory or bulletin: https://httpd.apache.org/docs/2.4/mod_status.html#servertokens
NVD or CVE entry: Not applicable for this specific information disclosure.
Product or platform documentation relevant to the fix: https://httpd.apache.org/docs/2.4/

Updated on October 26, 2025

Was this article helpful?

Yes No