CVE-2012-0053
First published: Fri Jan 27 2012(Updated: )
A flaw was found in the default error response for status code 400. This could be used by an attacker to expose "httpOnly" cookies, when no custom ErrorDocument was specified. This affects all versions of Apache from 2.2.0 up to and including 2.2.21. It will be fixed upstream in 2.2.22 (via r1235454 [1]). [1] <a href="http://svn.apache.org/viewvc?view=revision&revision=1235454">http://svn.apache.org/viewvc?view=revision&revision=1235454</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/httpd | <2.2.22 | 2.2.22 |
| Apache Http Server | >=2.0.0<2.0.65 | |
| Apache Http Server | >=2.2.0<2.2.22 | |
| Debian | =5.0 | |
| Debian | =6.0 | |
| Debian | =7.0 | |
| Open edX | =11.4 | |
| SUSE Linux Enterprise Server | =10-sp4 | |
| SUSE Linux Enterprise Software Development Kit | =10-sp4 | |
| Red Hat Storage | =2.0 | |
| Red Hat Enterprise Linux Desktop | =6.0 | |
| Red Hat Enterprise Linux Server EUS | =6.2 | |
| Red Hat Enterprise Linux Server | =6.0 | |
| Red Hat Enterprise Linux Workstation | =6.0 | |
| Red Hat JBoss Enterprise Web Server | =1.0.0 | |
| Red Hat Enterprise Linux | =5.0 | |
| Red Hat Enterprise Linux | =6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://svn.apache.org/viewvc?view=revision&revision=1235454
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=785070
- https://access.redhat.com/security/cve/CVE-2012-0053
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=785069#c0
- http://fd.the-wildcat.de/apache_e36a9cf46c.php
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=785069#c4
- https://rhn.redhat.com/errata/RHSA-2012-0128.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=785069#c10
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=785069#c11
- https://rhn.redhat.com/errata/RHSA-2012-0323.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=785069#c12
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=785069#c15
- https://access.redhat.com/support/policy/updates/errata/
- https://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?view=diff&r1=1237164&r2=1237165&pathrev=1237165
- https://rhn.redhat.com/errata/RHSA-2012-0543.html
- https://rhn.redhat.com/errata/RHSA-2012-0542.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=785069#c5
- http://httpd.apache.org/docs/2.2/mod/core.html#errordocument
- https://bugzilla.redhat.com/show_bug.cgi?id=785069
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
- http://httpd.apache.org/security/vulnerabilities_22.html
- http://kb.juniper.net/JSA10585
- http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00002.html
- http://marc.info/?l=bugtraq&m=133294460209056&w=2
- http://marc.info/?l=bugtraq&m=133494237717847&w=2
- http://marc.info/?l=bugtraq&m=133951357207000&w=2
- http://marc.info/?l=bugtraq&m=136441204617335&w=2
- http://rhn.redhat.com/errata/RHSA-2012-0128.html
- http://rhn.redhat.com/errata/RHSA-2012-0542.html
- http://rhn.redhat.com/errata/RHSA-2012-0543.html
- http://secunia.com/advisories/48551
- http://support.apple.com/kb/HT5501
- http://www.debian.org/security/2012/dsa-2405
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:012
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
- http://www.securityfocus.com/bid/51706
- https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r05b5357d1f6bd106f41541ee7d87aafe3f5ea4dc3e9bde5ce09baff8@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r1d201e3da31a2c8aa870c8314623caef7debd74a13d0f25205e26f15@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9b4b963760a3cb5a4a70c902f325c6c0337fe51d5b8570416f8f8729@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E
Frequently Asked Questions
Is there a workaround for CVE-2012-0053?
A workaround for CVE-2012-0053 is to specify a custom ErrorDocument to prevent default error responses.
- collector/redhat-bugzilla
- alias/CVE-2012-0053
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/severity
- agent/author
- agent/remedy
- agent/references
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/apache
- canonical/apache http server
- version/apache http server/2.0.0
- version/apache http server/2.2.0
- vendor/debian
- canonical/debian
- version/debian/5.0
- version/debian/6.0
- version/debian/7.0
- vendor/opensuse
- canonical/open edx
- version/open edx/11.4
- vendor/suse
- canonical/suse linux enterprise server
- version/suse linux enterprise server/10-sp4
- canonical/suse linux enterprise software development kit
- version/suse linux enterprise software development kit/10-sp4
- vendor/redhat
- canonical/red hat storage
- version/red hat storage/2.0
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/6.0
- canonical/red hat enterprise linux server eus
- version/red hat enterprise linux server eus/6.2
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/6.0
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/6.0
- canonical/red hat jboss enterprise web server
- version/red hat jboss enterprise web server/1.0.0
- canonical/red hat enterprise linux
- version/red hat enterprise linux/5.0
- version/red hat enterprise linux/6.0