We have a couple of Fabric OS showing up the following QID 87120: Apache HTTP Server HttpOnly Cookie Information Disclosure Vulnerability. Qualys states that this issue has been patched in Apache 2.2.22. Refer to Apache 2.2 Security Vulnerabilities (http://httpd.apache.org/security/vulnerabilities_22.html).
Vendor states that they use version httpd 2.0.50, and that vulnerability is not applicable to the FOS because the affected versions are 2.2.x thru 2.2.21 according to the CVE-ID. Does anyone knowns if there is a fix to prevent this httpOnly cookie information disclosure vulnerability in Apache httpd 2.0.50? Hard to believe that older versions are not vulnerable when there is already a fix for upper versions.
Any help you can provide will be greatly appreciated. Thanks in advance.