Spudinski Posted August 29, 2011 Share Posted August 29, 2011 The Apache Software Foundation has announced a denial-of-service vulnerability that affects all versions of the ubiquitous Apache web server, leaving up to 65% of all websites vulnerable. See Naked Security I'd advise sysadmins to work around this; see Apache's docs. There is as of yet no patch available, since it's not really an vulnerability as much as a future. Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted August 29, 2011 Share Posted August 29, 2011 There is temporary solutions for this whilst updates are tested. The initial exploit has revealed 3 further exploits. For those on cpanel see http://forums.cpanel.net/f185/case-52484-apache-vulnerable-229112.html Quote Link to comment Share on other sites More sharing options...
Spudinski Posted August 29, 2011 Author Share Posted August 29, 2011 I'd think the most viable temporary solution is to 404 on all Range headers, eg.: Range: bytes=0-100 Since this seems to be the most used by attackers. Of course, this is only viable for "games", and not if you run a download site. Quote Link to comment Share on other sites More sharing options...
Spudinski Posted August 31, 2011 Author Share Posted August 31, 2011 Update available. SECURITY: CVE-2011-3192 (cve.mitre.org) core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file. PR 51714. More info and latest release can be found at https://www.apache.org/dist/httpd/Announcement2.2.html Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.