December 7, 2016

Oracle Issues Patches for Apache Byterange Filter Bug

Oracle has issued a special security alert for Oracle HTTP Server products that are based on Apache 2.0 or 2.2. The alert covers CVE-2011-3192 or the Apache HTTPD byterange filter exploit as it is more commonly known.

In August a bug was found in the Apache HTTPD server regarding how it byte range headers. By exploiting the bug, remote attackers can cause a denial of service (memory and CPU consumption) attack by sending Range header that express multiple overlapping ranges. A fix was released at the end of August and a few days ago a “more efficient” fix was released. Oracle are basically playing catchup by issuing this alert now.

Affected Oracle Products and Versions

  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0
  • Oracle Application Server 10g Release 3, version 10.1.3.5.0 (Only affected when Oracle HTTP Server 10g based on Apache 2.0 has been installed from Application Server Companion CD)
  • Oracle Application Server 10g Release 2, version 10.1.2.3.0 (Only affected when Oracle HTTP Server 10g based on Apache 2.0 has been installed from Application Server Companion CD)
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible.
Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks