httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruiyuan Jiang <Ruiyuan_Ji...@liz.com>
Subject RE: [users@httpd] Apache httpd Range header remote DoS
Date Fri, 04 Nov 2011 19:09:16 GMT
Thanks for the answer, Tom

Ryan

-----Original Message-----
From: Tom Evans [mailto:tevans.uk@googlemail.com] 
Sent: Friday, November 04, 2011 11:19 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache httpd Range header remote DoS

On Fri, Nov 4, 2011 at 2:59 PM, Ruiyuan Jiang <Ruiyuan_Jiang@liz.com> wrote:
> Hi, all
>
> I have an Apache reverse proxy server (v2.2.21) redirects traffic from http
> to https for a back end web server. I don’t know the exact version of the
> back end Apache web server because Oracle changed the version number but I
> am sure it is below v2.2.21. Our vulnerability scan shows that the web site
> has:
>
> Apache httpd Range header remote DoS (CVE-2011-3192)
> (apache-httpd-cve-2011-3192)
>
> My question is that front end of Apache reverse proxy hide the back end web
> server problem, isn’t it? If not, how do I fix the problem besides to
> upgrade the version of back end Apache web server? Thanks.
>
> Ryan Jiang
> Liz Claiborne, Inc.
>
>

Did you read the CVE? It explained the issues and how to work around them…

http://httpd.apache.org/security/CVE-2011-3192.txt

Upgrading the reverse proxy will not protect the back end servers. The
range headers are passed through to the back end, and so they must be
capable of determining whether it is malicious or not - the proxy
cannot really decide this.

If you cannot upgrade the back ends, there are several mitigations
listed in the CVE.

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended 
recipient, please notify the sender immediately by 
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.
Mime
View raw message