Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The "CVE-2011-3192" page has been changed by wrowe: http://wiki.apache.org/httpd/CVE-2011-3192?action=diff&rev1=8&rev2=9 Last Change: 20110831 1800Z Date: 20110824 1600Z Product: Apache HTTPD Web Server - Versions: Apache 2.0 - all versions prior to 2.2.20; + Versions: Apache 2.0 - all versions prior to 2.2.20 and prior to 2.0.65 Apache 1.3 is NOT vulnerable. Changes since last update @@ -41, +41 @@ The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. - The default Apache HTTPD installations version 2.0 and 2.2 prior to + The default Apache httpd installations version 2.0 prior to 2.0.65 and - 2.2.20 are vulnerable. + version 2.2 prior to 2.2.20 are vulnerable. Apache 2.2.20 does fix this issue; however with a number of side effects - (see release notes). Version 2.2.21 xxx + (see release notes). Version 2.2.21 corrects a protocol defect in 2.2.20, + and also introduces the MaxRanges directive. + + Version 2.0.65 has not been released, but will include this fix, and is + anticipated in September. Apache 1.3 ========== @@ -141, +145 @@ 1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then either ignore the Range: header or reject the request. - Option 1: (Apache 2.2) + Option 1: (Apache 2.2, requires mod_setenvif and mod_headers) # Drop the Range header when more than 5 ranges. # CVE-2011-3192 @@ -160, +164 @@ mod_cache and (language) modules may act before the 'unset' is executed upon during the 'fixup' phase. - Option 2: (Pre 2.2) + Option 2: (Pre 2.2, requires mod_rewrite and mod_headers) # Reject request when more than 5 ranges in the Range: header. # CVE-2011-3192 @@ -199, +203 @@ 4) Deploy a Range header count module as a temporary stopgap measure. + A stop-gap module which is runtime-configurable can be found at: + - http://people.apache.org/~dirkx/mod_rangecnt-improved/ + http://people.apache.org/~fuankg/httpd/mod_rangecnt-improved/ - - An improved stop-gap module for the 2.x series was provided by - Guenter Knauf and can be found at: + + A simpler stop-gap module which requires compile-time configuration + is also available: http://people.apache.org/~dirkx/mod_rangecnt.c @@ -232, +238 @@ Apache HTTPD users who are concerned about a DoS attack against their server should 1) upgrade to version 2.2.21 (or 2.0.65 when it becomes available), 2) if not possible - apply the provided patches or 3) consider implementing - any of the above mitigations immediately. + any of the above mitigation immediately. When using a third party attack tool to verify vulnerability - note that most of the versions in the wild currently check for the presence of mod_deflate; --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
