Report Date: October 26, 2023 (Retrospective Analysis) Version Analyzed: 2.4.18 Initial Release Date: December 14, 2015 End of Life (Official Support): Approximately July 2016 (when 2.4.20 was released; 2.4.x series continues, but specific patch support for .18 ceased upon newer releases) 1. Executive Summary Apache HTTP Server 2.4.18 is a historical minor release in the long-lived 2.4.x branch. While it introduced several useful modules and fixes at the time, it is now severely outdated and unsafe for production use . It lacks critical security patches, TLS protocol support (e.g., TLS 1.3), and performance improvements present in later 2.4.x versions (2.4.46+). Organizations still running this version are exposed to multiple known vulnerabilities (CVEs) and compliance risks.
| CVE ID | Impact | Fixed in Version | |--------|--------|------------------| | CVE-2017-9798 (Optionsbleed) | Memory leak exposing .htaccess overrides | 2.4.28 | | CVE-2019-0211 | Privilege escalation (Apache children → root) | 2.4.39 | | CVE-2019-10098 | HTTP/2 request smuggling | 2.4.40 | | CVE-2020-11993 | Push diary crash in HTTP/2 | 2.4.44 | | CVE-2021-40438 | Server-side request forgery (mod_proxy) | 2.4.49 | | CVE-2021-44790 | mod_lua buffer overflow (RCE) | 2.4.52 | | CVE-2022-23943 | mod_sed memory corruption | 2.4.53 | | CVE-2022-31813 | mod_proxy_ajp request smuggling | 2.4.54 | apache 2.4.18
