Avatar of Thaidog
ThaidogFlag for United States of America asked on

Does this Apache vulnerability apply to the CentOS 6 version?

I have a concern about a vulnerability I found:

3 Apache HTTP Server HttpOnly Cookie Information Disclosure Vulnerability 87120 
QID:
Category:
CVE ID:
Vendor Reference: 
Web server 
CVE-2012-0053
Apache 2.2, IBM HTTP Server 
Scan Results 
page 2 
Bugtraq ID: -
Service Modified: 10/17/2012 User Modified: -
Edited: No
PCI Vuln: Yes 
THREAT:
Apache HTTP Server is an HTTP web server application. 
A flaw was found in the default error response for status code 400. This flaw could be used by an attacker to expose "httpOnly" cookies when no custom ErrorDocument is specified. 
Affected Versions:
Apache HTTP Server 2.2.0 through to 2.2.21.
IBM HTTP Server prior to 6.1.0.43, 7.0.0.23, 8.0.0.3 
IMPACT:
Successfully exploiting this vulnerability might allow a remote attacker to get access to sensitive information. 
SOLUTION: 
This issue has been patched in Apache 2.2.22. Refer to Apache 2.2 Security Vulnerabilities (http://httpd.apache.org/security/vulnerabilities_22.html). IBM also released updated versions to fix this vulnerability. Refer to

Open in new window


My CentOS 6.2 server has this version rpm on it:

httpd-2.2.20-LN.el6.4.x86_64

Redhat and CentOS are known for keeping older version numbers on patched packages so I am not sure if this version is patched or not. Can anybody tell me if this version is affected?
VulnerabilitiesLinuxApache Web Server

Avatar of undefined
Last Comment
arnold

8/22/2022 - Mon
Graham N.

Yes, your current Apache version is vulnerable.  

You need to update if you want PCI compliance, however, if PCI compliance is not essential to your operation you could wait as this particular attack vector is pretty obscure.

Apache 2.4.x would be the ideal way to go, although Apache 2.2.22 would be ok for mitigating this vulnerability (but not for PCI). Updating apache shouldn't be too difficult in Centos.
arnold

You seem not to have the centos version of httpd.
Yum update should et your setup to centos 6.3

Where did you get the httpd package?
1ly4me

What do you want to do?
upgrade to httpd 2.2.22 or 2.2.23.
I recommend upgrade to 2.2.23. We have had similar issues with 2.2.22 and finally upgraded to httpd 2.2.23
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER CERTIFIED SOLUTION
arnold

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question