Systems Management Question

Apache information is publicly accessible

10/02/2019 247 views


I found that if you go to your ipaddress/server-status, it will show you private information such as connections, IPs, uptime, OS version, apache version.

This is the vulnerability https://nvd.nist.gov/vuln/detail/CVE-2014-0226

Even though the apache version running is greater than the one in the article, the feature mod_status is enabled. The solution is to either disable mod_status or ensure that access is limited to valid users / hosts. However, there is no way to modify the httpd.conf since it's a closed box. I am dealing with support, but they are not giving me a solution yet.

All of you guys have the same issue? Do you have a workaround?

3 Comments   [ + ] Show comments


  • I'd be interested in hearing the results from support.
  • What version are you running? I just tried it on a 10.0 test box and could get to /server-status, but could not get to it on production 9.1 boxes.
  • This issue is currently under investigation. We will update this post once this has been completed.

All Answers


We now have a fix that can be applied. Can you post your Support Ticket number for me.

Answered 10/08/2019 by: KevinG
Fourth Degree Green Belt

  • What was the fix? We are showing the same Vulnerability after updating to Ver.10.
    • Contact support and they can tether in and apply the fix. It will drop all connections at the time, but the whole process takes like 10 seconds.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login