httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: VOTES please -- CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (Final-5)
Date Wed, 24 Aug 2011 14:46:23 GMT
 

> -----Original Message-----
> From: Dirk-Willem van Gulik [mailto:dirkx@webweaving.org] 
> Sent: Mittwoch, 24. August 2011 16:36
> To: dev@httpd.apache.org
> Subject: VOTES please -- CVE-2011-3192: Range header DoS 
> vulnerability in Apache 1.3 and Apache 2 (Final-5)
> 
> Folks,
> 
> Can I have a few +1's on below - or feedback on what we'd 
> like to have changed ?
> 
> *	Would like to get this out in an hour or so ?
> 
> *	FIne with the 48 hours commitment of an update ?
> 
> Dw.
> 
> 
> 
> Title:    CVE-2011-3192: Range header DoS vulnerability 
> Apache HTTPD 1.3/2.x
> Date:     20110824 1600Z
> Product:  Apache HTTPD Web Server
> Versions: Apache 1.3 all versions, Apache 2 all versions
> 
> Description:
> ------------
> 
> A denial of service vulnerability has been found in the way 
> the multiple overlapping ranges are handled by the Apache 
> HTTPD server:
> 
>      http://seclists.org/fulldisclosure/2011/Aug/175  
> 
> An attack tool is circulating in the wild. Active use of this 
> tools has been observed.
> 
> The attack can be done remotely and with a modest number of 
> requests can cause very significant memory and CPU usage on 
> the server. 
> 
> The default Apache HTTPD installation is vulnerable.
> 
> There is currently no patch/new version of Apache HTTPD which 
> fixes this vulnerability. This advisory will be updated when 
> a long term fix is available. 
> 
> A full fix is expected in the next 48 hours. 
> 
> Mitigation:
> ------------
> 
> However there are several immediate options to mitigate this 
> issue until that time:
> 
> 1) Use mod_rewrite to limit the number of ranges:
> 
>    Option 1L
>           RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
>           RewriteRule .* - [F]
> 
>    Option 2:
>           SetEnvIf Range (,.*?){5,} bad-range=1
>           RequestHeader unset Range env=bad-range
>           # optional logging.
>           CustomLog logs/range.log "%r %{Range}i %{bad-range}e"

Shouldn't it be a conditional logging?

CustomLog logs/range.log "%r %{Range}i" env=bad-range

Otherwise looks good. +1.

Regards

Rüdiger



Mime
View raw message