May 25, 2020

Apache HTTP Server 2.2.20 Released – Fixes Byte-range DoS Vulnerability

(LiveHacking.Com) – The Apache Foundation has released an update to its HTTPD server to fix the much publicized byte range headers problem.  The announcement notes just one fix:

  •  CVE-2011-3192: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file.

The vulnerability left over 60% of the world’s websites exposed to a denial of service attack. The problem revolved around how Apache handled byte range headers and due to a tool, which was published to demonstrate the problem, an attack could be easily  launched  and cause very significant memory and CPU usage on the target server.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks