Query Details
CVE 2024 38475 Apache HTTP Server Improper Escaping Of Output Vulnerability
Query
// CVE-2024-38475 Apache HTTP Server Improper Escaping of Output Vulnerability // https://www.cisa.gov/news-events/alerts/2025/05/01/cisa-adds-two-known-exploited-vulnerabilities-catalog let FixedVersion = dynamic(["2.4.60","2.4.61","2.4.62","2.4.63"]); DeviceProcessEvents | where TimeGenerated > ago(90d) | where InitiatingProcessVersionInfoProductName has "Apache HTTP Server" | summarize arg_max(TimeGenerated, *) by DeviceId | where not (InitiatingProcessVersionInfoProductVersion has_any(FixedVersion)) | project DeviceName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion
Explanation
This KQL (Kusto Query Language) query is designed to identify devices running vulnerable versions of the Apache HTTP Server that are susceptible to a specific security vulnerability (CVE-2024-38475). Here's a simple breakdown of what the query does:
-
Define Fixed Versions: It sets a list of Apache HTTP Server versions that have been fixed and are not vulnerable to the issue.
-
Filter Events: It looks at device process events from the last 90 days.
-
Identify Apache Servers: It filters these events to find those related to the Apache HTTP Server.
-
Get Latest Event per Device: It summarizes the data to get the most recent event for each device.
-
Check for Vulnerability: It filters out devices that are running any of the fixed versions, leaving only those that are potentially vulnerable.
-
Display Results: Finally, it projects (displays) the device name, product name, and product version for devices that are running vulnerable versions of the Apache HTTP Server.
In essence, this query helps identify devices that might need an update to mitigate the specified vulnerability.
Details
Steven Lim
Released: May 2, 2025
Tables
Keywords
Operators