You have to understand Red Hat's packaging and patching policy.

Red Hat pick the version of any given tool they'll use when they launch a version of RHEL. For RHEL 6, this included Apache 2.2.15, the 2.6.32 kernel, php 5.3.3, and so on. For the rest of the life of RHEL6, these will not be upgraded; Red Hat will instead backport any necessary patches (and occasionally, improvements which are felt to be desirable) to the version they have picked. That means that you'll be running software whose version number suggests it's vulnerable to certain well-known exploits, but which likely has been patched to avoid those vulnerabilities. Red Hat explain all of this themselves in more detail on their own website.

If you want to be sure that you're not subject to a particular vulnerability, you'll need to find the CVE number of the issue, and check the changelogs. Fortunately, rpm makes this easier than it might otherwise be. Consider as an example CVE-2017-7679, which on the face of it would affect httpd-2.2.15. On my (CentOS6, but I suspect RHEL6 would give an identical response) system, this is patched:

[me@lory ~]$ rpm -q --changelog httpd|grep 7679
- Resolves: #1463207 - CVE-2017-7679 httpd: mod_mime buffer overread

It's amazing how many soi-disant security auditors don't understand the ramifications of RH's approach (which, as noted below, is common to most enterprise-minded distros), some of them even after it's been explained slowly and in short words.