We're running a vulnerability scan (Nessus) against the CA Access
Gateway (SPS) and we've discovered the following vulnerability :

  CVE-2019-9517 mod_http2
  CVE-2019-10081 mod_http2 
  CVE-2019-10082 mod_http2 
  CVE-2019-10092 mod_proxy 
  CVE-2019-10097 mod_remoteip 
  CVE-2019-10098 mod_rewrite

  Apache HTTP Server 2.4 vulnerabilities
  https://httpd.apache.org/security/vulnerabilities_24.html

Plugin Output: 

  Source            : Server: Apache/2.4.4 (Unix) mod_jk/1.2.37
  Installed version : 2.4.4
  Fixed version     : 2.4.41

The Nessus tool mentioned that : 

   Note that Nessus has not tested for this issue but has instead
   relied only on the application's self-reported version number.

How can we fix it ?

Release : 12.6

Component : SITEMINDER -WEB AGENT FOR APACHE

The nessus tools has reported the following vulnerabilities, and I've
put the module affected.

  CVE-2019-9517 mod_http2
  CVE-2019-10081 mod_http2 
  CVE-2019-10082 mod_http2 
  CVE-2019-10092 mod_proxy 
  CVE-2019-10097 mod_remoteip 
  CVE-2019-10098 mod_rewrite

From the output of the module in use in apache, none of those modules
are in usage.

[[email protected] bin]# ./apachectl -M

Loaded Modules:

  core_module (static)
  so_module (static)
  http_module (static)
  mpm_worker_module (static)
  env_module (shared)
  log_config_module (shared)
  setenvif_module (shared)
  mime_module (shared)
  negotiation_module (shared)
  dir_module (shared)
  jk_module (shared)
  cgi_module (shared)
  alias_module (shared)
  authz_host_module (shared)
  authn_core_module (shared)
  authz_core_module (shared)
  unixd_module (shared)
  slotmem_shm_module (shared)

So said, the SPS you run is not vulnerable and you have to upgrade it
only to get a supported version.