My understanding is that the vulnerability is when Apache gets a HTTP request and calls out to MOD_CGI, and the malicious HTTP request sets environment variables. It may also be vulnerable in MOD_STATUS.
You can take a look at your httpd.conf file which is usually located at /private/etc/apache2 and see what’s enabled. Disabling those things and restarting apache might help, but since this seems a very fluid situation I wouldn’t count on anything at this point.
I run a few OSX web servers, and I stopped Apache on them this morning until I know what to do… YMMV