httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT)dev
Date Wed, 24 Aug 2011 12:11:30 GMT
Comments please. Esp. on the quality and realisticness of the mitigtions.

Title:	    CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2
Date:       20110824 1600Z
# Last Updated:  20110824 1600Z
Product:   Apache Web Server
Versions:  Apache 1.3 all versions, Apache 2 all versions


A denial of service vulnerability has been found in the way the multiple overlapping ranges
are handled by apache ( It most commonly
manifests itself when static content is made available with compression on the fly through

This is a very common (the default right!?) configuration. 

The attack can be done remotely and with a modest number of requests leads to very significant
memory and CPU usage. 

Active use of this tools has been observed in the wild.

There is currently no patch/new version of apache which fixes this vulnerability. This advisory
will be updated when a long term fix is available. A fix is expected in the next 96 hours.


However are several immediate options to mitigate this issue until that time:

1)	Disable compression-on-the-fly by:

	1)	removing mod_deflate as a loaded module and/or by removing any 
		AddOutputFilterByType/SetOutputFilter DEFLATE entries.

	2) 	Disable it with "BrowserMatch .* no-gzip"


2)	Use mod_headers to dis-allow the use of Range headers:

		RequestHeader unset Range 

	Note that this may break certain clients - such as those used for
	e-Readers and progressive/http-streaming video.

2)	Limit the size of the request field to a few hundred bytes. Note that while this
	keeps the offending Range header short - it may break other headers; such as sizable
	cookies or security fields. 

		LimitRequestFieldSize 200

	Note that as the attack evolves in the field you are likely to have
	to further limit this and/or impose other LimitRequestFields limits.


3)	Deploy a Range header count module as a temporary stopgap measure:

4)	Apply any of the current patches under discussion - such as:

Apache HTTPD users are advised to investigate wether they are vulnerable (e.g. allow Range
headers and use mod_deflate) and consider implementing any of the above mitigations. 


This advisory will be updated when a fix/patch or new release is available. A patch or new
apache release for Apache 2.0 and 2.2 is expected in the next 96 hours. Note that, while popular,
Apache 1.3 is deprecated. 

View raw message