It also barely meets the definition of "a vulnerability report". He basically just nmap scanned the server and googled the apache version. The "critical" vulnerability he linked requires controlling a backend server being reverse proxied through apache... so completely irrelevant. I didn't read every CVE for the apache version but I am doubtful there is anything that actually allows taking over the server there.

▲

roywashere 3 days ago | parent | next [-]

Also, Apache 2.4.57 is exactly the version of Apache you get when you'd run RHEL 9 / AlmaLinux / Rocky 9. In that case, the OS would provide backports of the CVE fixes for you and the banner still reads Apache 2.4.57!

	▲	capitainenemo 3 days ago \| parent [-]
		That was EXACTLY my first thought on skimming the article. There are commercial vulnerability tools that do this to me repeatedly with Debian and Ubuntu - reporting vulnerabilities in things that the Ubuntu and Debian CVE pages clearly state were patched in backports years prior. Often it is in Apache.

▲

hughw 3 days ago | parent | prev [-]

I need to see ICE Block's SOC 2 Type 1 audit of their processes for patching vulnerabilities along with their latest SOC 2 Type 2 audit.

▲

tptacek 3 days ago | parent [-]

Their Type 2 attestation would have everything the Type 1 has. I mean obviously you're not being serious but I can't let that one sail by.

	▲	hughw 3 days ago \| parent [-]
		Right but the type 2 will prove they actually did what they promised. And yes I’m drawing it out to an absurdity.