Video Screencast Help

Apache HTTP Server HttpOnly Cookie Information Disclosure vulnerability detected!

Created: 13 Feb 2013 • Updated: 13 Feb 2013 | 8 comments
This issue has been solved. See solution.

Hi, our server picked up this vulnerability yesterday and there is no information on how to mitigate it on Symantec's website.  Can anyone tell me where this comes from and how to fix it?

We are using SEP 12.1.1000.157 RU1.

 

Thanks

Dan

Comments 8 CommentsJump to latest comment

_Brian's picture

Meaning you did a vulnerability scan of the SEPM server and this was found?

This is a vulnerability in Apache so you need to upgrade to Apache HTTP Server version 2.2.22 or later

http://www.securityspace.com/smysecure/catid.html?...

Although I'm not sure if  you can just upgrade Apache without affecting the SEPM. You need to confirm with Symantec

dan43's picture

We use a product called Qualysguard Security & Compliance Suite and a scan was run on one of our servers that has Symantec Endpoint Protection installed on it, and this is what it detected.

_Brian's picture

Yea we do the same thing. The fix is easy (upgrade to latest version of apache) but Symantec would need to be consulted to find out what would be consequences. Usually they would just patch it when a new SEPM version is out. But if you can't wait and need to comply with policy, I would contact them now and tell them what is going on.

Also, you are on an old version of SEPM. The latest is 12.1 RU2 so this may be fixed with an upgrade of the SEPM. I would call and confirm.

SOLUTION
dan43's picture

Hi Brian,

Question for you - can we upgrade Apache web server to the latest version for Windows without breaking SEPM?

_Brian's picture

That's what I'm not exactly sure about so you should call Symantec to confirm.