I have a concern about a vulnerability I found:
3 Apache HTTP Server HttpOnly Cookie Information Disclosure Vulnerability 87120
Apache 2.2, IBM HTTP Server
Bugtraq ID: -
Service Modified: 10/17/2012 User Modified: -
PCI Vuln: Yes
Apache HTTP Server is an HTTP web server application.
A flaw was found in the default error response for status code 400. This flaw could be used by an attacker to expose "httpOnly" cookies when no custom ErrorDocument is specified.
Apache HTTP Server 2.2.0 through to 2.2.21.
IBM HTTP Server prior to 22.214.171.124, 126.96.36.199, 188.8.131.52
Successfully exploiting this vulnerability might allow a remote attacker to get access to sensitive information.
This issue has been patched in Apache 2.2.22. Refer to Apache 2.2 Security Vulnerabilities (http://httpd.apache.org/security/vulnerabilities_22.html). IBM also released updated versions to fix this vulnerability. Refer to
My CentOS 6.2 server has this version rpm on it:
Redhat and CentOS are known for keeping older version numbers on patched packages so I am not sure if this version is patched or not. Can anybody tell me if this version is affected?