Selah scans a Red Hat Linux server that she believes is fully patched and sees that the Apache version on the server was reported as vulnerable to an exploit a few months ago. When she checks to see if she is missing patches, Apache is fully patched. What has happened?

This is an example of a false positive. A false positive can cause a vulnerability to show that was not actually there. This sometimes happens when a patch or fix is installed but the application does not change in a way that shows the change, and it has been an issue with updates where the version number is the primary check for a vulnerability. When a vulnerability scanner sees a vulnerable version number but a patch that has been installed does not update it, a false positive report can occur. A false negative would report a patch or fix where there was actually a vulnerability. Automatic updates were not mentioned, nor was a specific Apache version.