httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Regev Ayelet <Ayelet.Re...@comverse.com>
Subject RE: [users@httpd] availability of httpd 2.0.65
Date Tue, 02 Oct 2012 11:34:08 GMT
Even after installing httpd patch provided by Apache, nessus scanning system is claiming:



55976 - Apache HTTP Server Byte Range DoS
Synopsis
The web server running on the remote host is affected by a denial of service vulnerability.
Description
The version of Apache HTTP Server running on the remote host is affected by a denial of service
vulnerability. Making
a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers
can result in
memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the
system unresponsive.
Exploit code is publicly available and attacks have reportedly been observed in the wild.
See Also
http://archives.neohapsis.com/archives/fulldisclosure/2011-08/0203.html
http://www.gossamer-threads.com/lists/apache/dev/401638
http://www.nessus.org/u?404627ec
http://httpd.apache.org/security/CVE-2011-3192.txt
http://www.nessus.org/u?1538124a
http://www-01.ibm.com/support/docview.wss?uid=swg24030863
Solution
Upgrade to Apache httpd 2.2.21 or later, or use one of the workarounds in Apache's advisories
for CVE-2011-3192.
Version 2.2.20 fixed the issue, but also introduced a regression.
If the host is running a web server based on Apache httpd, contact the vendor for a fix.
Risk Factor
High
CVSS Base Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
References
BID 49303
CVE CVE-2011-3192
XREF OSVDB:74721
XREF CERT:405811
26
XREF EDB-ID:17696
XREF EDB-ID:18221
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2011/08/25, Modification date: 2012/09/06
Ports
tcp/443
Nessus determined the server is unpatched and is not using any
of the suggested workarounds by making the following requests :
-------------------- Testing for workarounds --------------------
HEAD /manual/rewrite/index.html HTTP/1.1
Host: 10.106.12.185
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Request-Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10
Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
HTTP/1.0 206 Partial Content
Date: Mon, 01 Oct 2012 08:36:33 GMT
Server: Apache/2.0.64 (Unix) mod_ssl/2.0.64 OpenSSL/0.9.7a
Content-Location: index.html.en
Vary: negotiate,accept-language,accept-charset
TCN: choice
Last-Modified: Tue, 06 Jan 2009 21:40:05 GMT
ETag: "bb44d-158f-401b9740;bb44c-ce-d99b0140"
Accept-Ranges: bytes
Content-Length: 836
Connection: close
Content-Type: multipart/x-byteranges; boundary=4cafb4d91905b7f1
Content-Language: en
-------------------- Testing for workarounds --------------------
-------------------- Testing for patch --------------------
HEAD /manual/rewrite/index.html HTTP/1.1
Host: 10.106.12.185
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Request-Range: bytes=0-,1-
Range: bytes=0-,1-
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
HTTP/1.0 206 Partial Content
Date: Mon, 01 Oct 2012 08:36:33 GMT
Server: Apache/2.0.64 (Unix) mod_ssl/2.0.64 OpenSSL/0.9.7a
Content-Location: index.html.en
Vary: negotiate,accept-language,accept-charset
TCN: choice
Last-Modified: Tue, 06 Jan 2009 21:40:05 GMT
ETag: "bb44d-158f-401b9740;bb44c-ce-d99b0140"
Accept-Ranges: bytes
Content-Length: 11227
Connection: close
Content-Type: multipart/x-byteranges; boundary=4cafb4d91ab998 [...]Ayelet Regev-Dabah
System Software Platform TL
Comverse
Office: +972 3 6459362
ayelet.regev@comverse.com
www.comverse.com


-----Original Message-----
From: Regev Ayelet [mailto:Ayelet.Regev@comverse.com]
Sent: Tuesday, October 02, 2012 1:01 PM
To: users@httpd.apache.org
Subject: RE: [users@httpd] availability of httpd 2.0.65

Any news on this issue?

Ayelet Regev-Dabah
System Software Platform TL
Comverse
Office: +972 3 6459362
ayelet.regev@comverse.com
www.comverse.com


-----Original Message-----
From: Regev Ayelet [mailto:Ayelet.Regev@comverse.com]
Sent: Sunday, September 30, 2012 4:08 PM
To: users@httpd.apache.org
Subject: RE: [users@httpd] availability of httpd 2.0.65

In this link:

http://wiki.apache.org/httpd/CVE-2011-3192


FIX
====

This vulnerability has been fixed in release 2.2.20 and further corrected
in 2.2.21. You are advised to upgrade to version 2.2.21 (or newer) or the
legacy 2.0.65 release, once this is published (anticipated in September).

If you cannot upgrade, or cannot wait to upgrade - you can apply the
appropriate source code patch and recompile a recent existing version;

  http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/ (for 2.2.9 - .14)
  http://www.apache.org/dist/httpd/patches/apply_to_2.2.19/ (for 2.2.15 - .19)
  http://www.apache.org/dist/httpd/patches/apply_to_2.0.64/ (for 2.0.55 - .64)

If you cannot upgrade and/or cannot apply above patches in a timely manner
then you should consider to apply one or more of the mitigation suggested below.




Ayelet Regev-Dabah
System Software Platform TL
Comverse
Office: +972 3 6459362
ayelet.regev@comverse.com
www.comverse.com


-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]
Sent: Sunday, September 30, 2012 4:05 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] availability of httpd 2.0.65

On Sun, Sep 30, 2012 at 9:56 AM, Regev Ayelet <Ayelet.Regev@comverse.com> wrote:
> Hi All,
>
> According to apache.org , httpd 2.0.65 suppose to be released during
> September.
> Does anyone have updates on this issue?
> I tried to install the patch, but my security system still claim there is a
> security bug…
>

Where do you see a date listed for 2.0.65?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


“This e-mail message may contain confidential, commercial or privileged information that
constitutes proprietary information of Comverse Technology or its subsidiaries. If you are
not the intended recipient of this message, you are hereby notified that any review, use or
distribution of this information is absolutely prohibited and we request that you delete all
copies and contact us by e-mailing to: security@comverse.com. Thank You.”

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


“This e-mail message may contain confidential, commercial or privileged information that
constitutes proprietary information of Comverse Technology or its subsidiaries. If you are
not the intended recipient of this message, you are hereby notified that any review, use or
distribution of this information is absolutely prohibited and we request that you delete all
copies and contact us by e-mailing to: security@comverse.com. Thank You.”

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


“This e-mail message may contain confidential, commercial or privileged information that
constitutes proprietary information of Comverse Technology or its subsidiaries. If you are
not the intended recipient of this message, you are hereby notified that any review, use or
distribution of this information is absolutely prohibited and we request that you delete all
copies and contact us by e-mailing to: security@comverse.com. Thank You.”
Mime
View raw message