Link to home
Get AccessLog in
Avatar of Thaidog
ThaidogFlag for United States of America

asked on

Does this Apache vulnerability apply to the CentOS 6 version?

I have a concern about a vulnerability I found:

3 Apache HTTP Server HttpOnly Cookie Information Disclosure Vulnerability 87120 
QID:
Category:
CVE ID:
Vendor Reference: 
Web server 
CVE-2012-0053
Apache 2.2, IBM HTTP Server 
Scan Results 
page 2 
Bugtraq ID: -
Service Modified: 10/17/2012 User Modified: -
Edited: No
PCI Vuln: Yes 
THREAT:
Apache HTTP Server is an HTTP web server application. 
A flaw was found in the default error response for status code 400. This flaw could be used by an attacker to expose "httpOnly" cookies when no custom ErrorDocument is specified. 
Affected Versions:
Apache HTTP Server 2.2.0 through to 2.2.21.
IBM HTTP Server prior to 6.1.0.43, 7.0.0.23, 8.0.0.3 
IMPACT:
Successfully exploiting this vulnerability might allow a remote attacker to get access to sensitive information. 
SOLUTION: 
This issue has been patched in Apache 2.2.22. Refer to Apache 2.2 Security Vulnerabilities (http://httpd.apache.org/security/vulnerabilities_22.html). IBM also released updated versions to fix this vulnerability. Refer to

Open in new window


My CentOS 6.2 server has this version rpm on it:

httpd-2.2.20-LN.el6.4.x86_64

Redhat and CentOS are known for keeping older version numbers on patched packages so I am not sure if this version is patched or not. Can anybody tell me if this version is affected?
Avatar of Graham N.
Graham N.
Flag of United Arab Emirates image

Yes, your current Apache version is vulnerable.  

You need to update if you want PCI compliance, however, if PCI compliance is not essential to your operation you could wait as this particular attack vector is pretty obscure.

Apache 2.4.x would be the ideal way to go, although Apache 2.2.22 would be ok for mitigating this vulnerability (but not for PCI). Updating apache shouldn't be too difficult in Centos.
You seem not to have the centos version of httpd.
Yum update should et your setup to centos 6.3

Where did you get the httpd package?
What do you want to do?
upgrade to httpd 2.2.22 or 2.2.23.
I recommend upgrade to 2.2.23. We have had similar issues with 2.2.22 and finally upgraded to httpd 2.2.23
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access