Problem

Vulnerability scanners see that VA is currently using Apache 2.4.26 in VA 4.12.1 SP5 and flag the product as vulnerable to CVE-2017-9788 and CVE-2017-9789.

Resolution

VA is not vulnerable to those CVEs because we do not ship mod_http2 or mod_auth_digest, which contain the vulnerable code. Axway will continue to monitor Apache security advisories and we will release Apache updates in future service packs, when required.