One is a false positive alarms (CVE-2007-6750) and ESXi 7.0 Update 3q and later versions are not vulnerable. But CVE-2018-12122 is a positive alarm and there is plans for a fix in future releases.

In detail:

• CVE-2007-6750 only affects Apache versions up until 2.2.14, but ESXi 7.0 U3q ships with Apache 2.4.15-1ph3, a newer version which is not affected by this vulnerability (the http server running on ports 80 and 443 on ESXi is not Apache HTTP server but EnvoyProxy, so CVE-2007-6750 does not apply as it is specific to Slowloris attack against Apache HTTP Server 1.x and 2.x).
• CVE-2018-12122 is a vulnerability in node.js, slowloris attack impacts many other HTTP servers and envoyproxy as configured on ESXi is vulnerable to this attack and we are aware of this.
  • There is no workaround for this for now and a fix will be in the next patch release.