Spudinski Posted August 29, 2011 Posted August 29, 2011 The Apache Software Foundation has announced a denial-of-service vulnerability that affects all versions of the ubiquitous Apache web server, leaving up to 65% of all websites vulnerable. See Naked Security I'd advise sysadmins to work around this; see Apache's docs. There is as of yet no patch available, since it's not really an vulnerability as much as a future. Quote
rulerofzu Posted August 29, 2011 Posted August 29, 2011 There is temporary solutions for this whilst updates are tested. The initial exploit has revealed 3 further exploits. For those on cpanel see http://forums.cpanel.net/f185/case-52484-apache-vulnerable-229112.html Quote
Spudinski Posted August 29, 2011 Author Posted August 29, 2011 I'd think the most viable temporary solution is to 404 on all Range headers, eg.: Range: bytes=0-100 Since this seems to be the most used by attackers. Of course, this is only viable for "games", and not if you run a download site. Quote
Spudinski Posted August 31, 2011 Author Posted August 31, 2011 Update available. SECURITY: CVE-2011-3192 (cve.mitre.org) core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file. PR 51714. More info and latest release can be found at https://www.apache.org/dist/httpd/Announcement2.2.html Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.