httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <tevans...@googlemail.com>
Subject Re: [users@httpd] Apache httpd Range header remote DoS
Date Fri, 04 Nov 2011 15:18:46 GMT
On Fri, Nov 4, 2011 at 2:59 PM, Ruiyuan Jiang <Ruiyuan_Jiang@liz.com> wrote:
> Hi, all
>
> I have an Apache reverse proxy server (v2.2.21) redirects traffic from http
> to https for a back end web server. I don’t know the exact version of the
> back end Apache web server because Oracle changed the version number but I
> am sure it is below v2.2.21. Our vulnerability scan shows that the web site
> has:
>
> Apache httpd Range header remote DoS (CVE-2011-3192)
> (apache-httpd-cve-2011-3192)
>
> My question is that front end of Apache reverse proxy hide the back end web
> server problem, isn’t it? If not, how do I fix the problem besides to
> upgrade the version of back end Apache web server? Thanks.
>
> Ryan Jiang
> Liz Claiborne, Inc.
>
>

Did you read the CVE? It explained the issues and how to work around them…

http://httpd.apache.org/security/CVE-2011-3192.txt

Upgrading the reverse proxy will not protect the back end servers. The
range headers are passed through to the back end, and so they must be
capable of determining whether it is malicious or not - the proxy
cannot really decide this.

If you cannot upgrade the back ends, there are several mitigations
listed in the CVE.

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message