74721 : Apache HTTP Server ByteRange Filter Memory Exhaustion Remote DoS
Printer | http://osvdb.org/74721 | Email This | Edit Vulnerability

Views This Week Views All Time Added to OSVDB Last Modified Modified (since 2008) Percent Complete
77 3504 9 months ago 28 days ago 47 times 100%

Timeline
Disclosure Date
2011-08-19

Keywords

 HPSBUX02702 SSRT100606

Description

A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server prior to version 2.2.20: http://seclists.org/fulldisclosure/2011/Aug/175 An attack tool is circulating in the wild. Active use of this tool has been observed. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. The default Apache httpd installations version 2.0 prior to 2.0.65 and version 2.2 prior to 2.2.20 are vulnerable. Apache 2.2.20 does fix this issue; however with a number of side effects (see release notes). Version 2.2.21 corrects a protocol defect in 2.2.20, and also introduces the MaxRanges directive. Version 2.0.65 includes fix for this vulnerability. Apache 1.3 is NOT vulnerable. However as explained in the background section in more detail - this attack does cause a significant and possibly unexpected load. You are advised to review your configuration in that light.

Classification

 Location: Remote / Network Access
Attack Type: Denial of Service
Impact: Loss of Availability
Solution: Upgrade
Exploit: Exploit Public
Disclosure: Uncoordinated Disclosure

Solution

Upgrade to Apache 2.0.65, or Apache 2.2.20 or later version. Consult the Apache vendor advisory in the references section for more details.

Products
Apache Software Foundation
Watch-list
HTTP Server
Watch-list
 2.0.19
2.0.11
2.0.42
2.0.15
2.0.41
2.0.17
2.0.48
2.0.43
2.0.16
2.0.10
2.0.49
2.0.44
2.0.18
2.0.50
2.0.45
2.0.2
2.0.28
2.0.5
2.2.4
2.0.26
2.2.5
2.0.46
2.0.3
2.0.52
2.0.32
2.2.6
2.0.2x
2.0.6
2.0.47
2.0.35
2.0.7
2.0ax
2.0.36
2.0.30
2.0.1x
2.0.29
2.0.31
2.0.20
2.0.12
2.0.54
2.0.33
2.0.21
2.0.34
2.0.22
2.0.8
2.0.27
2.0.13
2.0.1
2.0.37
2.0.23
2.0.9
2.0.25
2.0.24
2.0.38
2.2 GA
2.0.39
2.0.14
2.0.53
2.2.0
2.0.61
2.2.1
2.0.55
2.0.59
2.0.56
2.0.4
2.0.51
2.0.57
2.0.3x
2.0.58
2.0.60
2.0 GA
2.2.3
2.0.40
2.2.2
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19

References

Tools & Filters
55976 56216
6021

Credit

CVSSv2 Score

CVSSv2 Base Score = 5.0
Source: nvd.nist.gov | Generated: 2011-08-30 | Disagree? | There are 1 more: View All

Access_vector_2 Access_complexity_2 Authentication_2 Confidentiality_impact_0 Integrity_impact_0 Availability_impact_1

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

2011/09/19 10:29:00 | Oracle rushes out emergency Apache DDoS patch

from: The Register

...products. The former product includes Apache httpd 2.2; the latter includes Apache httpd 2.0. The vulnerability, CVE-2011-3192, creates a means to trick a web clients into requesting multiple parts of the same file at the same time, causing systems to get...

Comments

Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

© Copyright 2012 Open Source Vulnerability Database (OSVDB), All Rights Reserved.
Privacy Statement - Terms of Use