You are here

T-702: Apache web servers that allows a DOS attack

August 25, 2011 - 8:00pm

Addthis

PROBLEM:

A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by apache

PLATFORM:

Apache 1.3 all versions, Apache 2 all versions

ABSTRACT:

Apache web servers that allows a DOS attack.

referenceĀ  LINKS:

Apache Advisory
Apache Archives
CVE-2011-3192

IMPACT ASSESSMENT:

High

Discussion:

Vulnerability commonly manifests itself when static content is made available with compression on the fly through mod_deflate - but other modules which buffer and/or generate content in-memory are likely to be affected as well.

Impact:

The attack can be done remotely and with a modest number of requests leads to very significant memory and CPU usage.
Apache HTTPD users are advised to investigate whether they are vulnerable (e.g. allow Range headers and use mod_deflate) and consider implementing any of the above mitigations.

Solution:

There is currently no patch/new version of apache which fixes this vulnerability. This advisory will be updated when a long term fix is available. A fix is expected in the next 96 hours.
Apache Download

Addthis