Vulnerabilities found in HTTPD in VMware vFabric Enterprise Ready Server 4.0.3 (2008680)
The most recent release of vFabric Enterprise Ready Server is ERS 4.0.3, which includes httpd 2.2.17 and 2.0.64. Four vulnerabilities have been found and resolved in more recent versions of Apache Software Foundation httpd.
This article provides information about addressing these vulnerabilities via vFabric Enterprise Ready Server .
There is a patch available for ERS 4.0.3. This patch is recommended to address CVE-2011-3192, CVE-2011-0419, CVE-2011-3348, and CVE-2011-3368 for httpd 2.2.17 and (where applicable) httpd 2.0.64. The server version number does not change when patched (so, there is no upgrade to httpd 2.2.21 currently), but the vulnerabilities are addressed.
For more information about the patch, see Security Vulnerabilities Fixed in 4.0.3 SP1 in Getting Started With vFabric Enterprise Ready Server. You can download the patch from the Download Center if you have ERS entitlements.
If applying a binary patch is not desirable for some reason, Security Vulnerabilities Fixed in 4.0.3 SP1 in Getting Started With vFabric Enterprise Ready Server also describes workarounds to address the vulnerabilities.
Future vulnerabilities may be reported on the ASF httpd 2.2 vulnerabilities page, often with workarounds.
No patch has been released for ERS httpd 1.3 versions. Mitigations are advised as necessary. Contrary to initial reports, httpd 1.3 is not vulnerable to the Range header CVE-2011-3192.