74721 : Apache HTTP Server ByteRange Filter Memory Exhaustion Remote DoS
Printer | http://osvdb.org/74721 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
68	6984	over 1 year ago	2 days ago	55 times	100%

Timeline

Disclosure Date
2011-08-20

Description

A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server prior to version 2.2.20. An attack tool is circulating in the wild. Active use of this tool has been observed. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. The default Apache httpd installations version 2.0 prior to 2.0.65 and version 2.2 prior to 2.2.20 are vulnerable. Apache 2.2.20 does fix this issue; however with a number of side effects (see release notes). Version 2.2.21 corrects a protocol defect in 2.2.20, and also introduces the MaxRanges directive. Apache 1.3 is NOT vulnerable. However as explained in the background section in more detail - this attack does cause a significant and possibly unexpected load. You are advised to review your configuration in that light.

Classification

Location: Remote / Network Access
Attack Type: Denial of Service
Impact: Loss of Availability
Solution: Upgrade
Exploit: Exploit Public
Disclosure: Uncoordinated Disclosure

Solution

Upgrade to Apache 2.0.65, or Apache 2.2.20 or later version. Consult the Apache vendor advisory in the references section for more details.

Products

The Apache Software Foundation	HTTP Server	2.0.19
		2.0.11
		2.0.42
		2.0.15
		2.0.41
		2.0.17
		2.0.48
		2.0.43
		2.0.16
		2.0.10
		2.0.49
		2.0.44
		2.0.18
		2.0.50
		2.0.45
		2.0.2
		2.0.28
		2.0.5
		2.2.4
		2.0.26
		2.2.5
		2.0.46
		2.0.3
		2.0.52
		2.0.32
		2.2.6
		2.0.2x
		2.0.6
		2.0.47
		2.0.35
		2.0.7
		2.0ax
		2.0.36
		2.0.30
		2.0.1x
		2.0.29
		2.0.31
		2.0.20
		2.0.12
		2.0.54
		2.0.33
		2.0.21
		2.0.34
		2.0.22
		2.0.8
		2.0.27
		2.0.13
		2.0.1
		2.0.37
		2.0.23
		2.0.9
		2.0.25
		2.0.24
		2.0.38
		2.2 GA
		2.0.39
		2.0.14
		2.0.53
		2.2.0
		2.0.61
		2.2.1
		2.0.55
		2.0.59
		2.0.56
2.0.4
2.0.51
2.0.57
2.0.3x
2.0.58
2.0.60
2.0 GA
2.2.3
2.0.40
2.2.2
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19

References

Tools & Filters

	55976 56216
	6021

Credit

kingcope

CVSSv2 Score

CVSSv2 Base Score = 5.0
Source: nvd.nist.gov | Generated: 2011-08-30 | Disagree? | There are 1 more: View All

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.