Apache httpOnly cookie disclosure
Description
Apache HTTP Server versions 2.2.x through 2.2.21 contain a vulnerability that improperly handles header information when generating HTTP 400 (Bad Request) error responses. When the server receives a malformed or excessively long HTTP header, it may inadvertently include sensitive cookie data—including cookies marked with the HttpOnly flag—in the error response body. An attacker can exploit this by sending crafted malicious requests and using client-side scripts to read the error response, thereby bypassing the HttpOnly protection mechanism.
Affected versions: Apache HTTP Server 2.2.x through 2.2.21
Remediation
Upgrade Apache HTTP Server to version 2.2.22 or later, which contains the fix for this vulnerability. Follow these steps:
1. Identify your current Apache version:
httpd -v
2. Download Apache 2.2.22 or later from the official Apache HTTP Server project website or use your distribution's package manager.
3. For package-managed installations (recommended):
# For Debian/Ubuntu sudo apt-get update sudo apt-get install apache2 # For RHEL/CentOS sudo yum update httpd
4. Verify the updated version:
httpd -v
5. Restart the Apache service:
sudo systemctl restart apache2 # or httpd
If immediate patching is not possible, consider implementing a Web Application Firewall (WAF) rule to filter malformed requests as a temporary mitigation measure.