Oracle has issued a special security alert for Oracle HTTP Server products that are based on Apache 2.0 or 2.2. The alert covers CVE-2011-3192 or the Apache HTTPD byterange filter exploit as it is more commonly known.
In August a bug was found in the Apache HTTPD server regarding how it byte range headers. By exploiting the bug, remote attackers can cause a denial of service (memory and CPU consumption) attack by sending Range header that express multiple overlapping ranges. A fix was released at the end of August and a few days ago a “more efficient” fix was released. Oracle are basically playing catchup by issuing this alert now.
Affected Oracle Products and Versions
- Oracle Fusion Middleware 11g Release 1, versions 184.108.40.206.0, 220.127.116.11.0, 18.104.22.168.0
- Oracle Application Server 10g Release 3, version 10.1.3.5.0 (Only affected when Oracle HTTP Server 10g based on Apache 2.0 has been installed from Application Server Companion CD)
- Oracle Application Server 10g Release 2, version 10.1.2.3.0 (Only affected when Oracle HTTP Server 10g based on Apache 2.0 has been installed from Application Server Companion CD)