Guest

Preview Tool

Cisco Bug: CSCup45495 - MSE Apache HTTP Server and HTTP Trace vulnerabilities

Last Modified

Jan 30, 2020

Products (1)

  • Cisco Mobility Services Engine

Known Affected Releases

7.6(120.0)

Description (partial)

Symptom:
Cisco Mobility Services Engine contains a version of Apache HTTPD that is affected by the vulnerability
identified by the following Common Vulnerability and Exposures (CVE) ID:

CVE-2012-0053 protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header
information during construction of Bad Request (aka 400) error documents, which allows remote attackers to
obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction
with crafted web script.
This has been classifed by the vendor as having a CVSS v2 Base Score of 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

This bug was opened to address the potential impact on this product.

The bug fix will include as well further hardening of the http server, by disabling the TRACE method.

Conditions:
Device with default configuration.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.