Por favor, leia os boletins CVE citados.
O risco basicamente se resume a: "o método HTTP TRACE está ativado" .
Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method.
fonte: CERT
Para resolver isso, basta desativar o método HTTP TRACE.
Para Heroku, por exemplo: link