Dennis' Domino Blog
« IBM Sametime client for iOSVulnerabilities in BlackBerry Enterprise Server components that process images could allow remote code execution »

Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192) -> IBM HTTP Server too!

  08/25/11 10:18 am, by , Categories: Administration, IBM, Websphere, security, Sametime
Go read this, and apply the fixes. Your IBM HTTP server with the Websphere servers is just a rebranded Apache.


D:\IBM\bin>Apache.exe -v
Server version: IBM_HTTP_Server/ Apache/2.0.47

(see update below)

Excerpt below:

          Apache HTTPD Security ADVISORY

Title:    Range header DoS vulnerability Apache HTTPD 1.3/2.x

CVE:      CVE-2011-3192: 
Date:     20110824 1600Z
Product:  Apache HTTPD Web Server
Versions: Apache 1.3 all versions, Apache 2 all versions


A denial of service vulnerability has been found in the way the multiple 
overlapping ranges are handled by the Apache HTTPD server: 

An attack tool is circulating in the wild. Active use of this tools has 
been observed.

The attack can be done remotely and with a modest number of requests can 
cause very significant memory and CPU usage on the server. 

The default Apache HTTPD installation is vulnerable.

There is currently no patch/new version of Apache HTTPD which fixes this 
vulnerability. This advisory will be updated when a long term fix 
is available. 

A full fix is expected in the next 48 hours. 

Update: The fix reportedly working for 2.0 and 2.2 doesn't work on 2.0 as the syntax is different. Apply the following:

# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
This entry was posted by and is filed under Administration, IBM, Websphere, security, Sametime.

No feedback yet


©2017 by Dennis van Remortel

Contact | Help | Blog skin by Asevo | blog software | web hosting | monetizing