JPCERT-AT-2011-0023 JPCERT/CC 2011-08-31 (First edition) 2011-09-15 (Updated) <<< JPCERT/CC Alert 31.08.11 >> Apache HTTP Server DoS Vulnerability https://www.jpcert.or.jp/at/2011/at110023.txt I. Overview Apache HTTP Server contains a vulnerability that will cause a Denial of Service (DoS). A remote attacker could cause a high level of system resource utilization by sending a specially crafted HTTP request to an Apache HTTP Server, causing a denial of service. Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192) http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110826103531.998348F82@minotaur.apache.org%3E According to The Apache Software Foundation, attack tools targeting this vulnerability have been made public, and there have been confirmed attacks targeting this vulnerability. *** Update: Added on 15.09.2011 ************************************* On September 14, 2011 (Japan time), The Apache Software Foundation released Apache HTTPD Security ADVISORY (UPDATE 3 - FINAL). The main changes are listed below. - Apache HTTP Server 1.3 has been removed from the list of versions affected by this vulnerability - The date of the release of the corrected version of Apache HTTP Server 2.0 has been made public - Apache HTTP Server 2.2.21 has been released (correction of bug introduced in 2.2.20) - In addition to this vulnerability, CVE-2011-3348 (mod_proxy_ajp) has also been solved. For more information, refer to the following websites: Apache HTTPD Security ADVISORY (UPDATE 3 - FINAL) Range header DoS vulnerability Apache HTTPD prior to 2.2.20. http://httpd.apache.org/security/CVE-2011-3192.txt Apache HTTP Server 2.2.21 Released http://www.apache.jp/news/apache-http-server-2.2.21-released http://www.apache.org/dist/httpd/Announcement2.2.html ********************************************************************** II. Products Affected According to The Apache Software Foundation, the following versions may be affected by this vulnerability. - All versions of Apache HTTP Server 1.3 - All versions of Apache HTTP Server 2.x In addition to these products, products which incorporate the Apache HTTP Server may also be affected. Those who are using Apache HTTP Server versions provided by distributors should refer to information provided by the distributors. III. Solution The Apache Software Foundation has released Apache HTTP Server 2.2.20, which resolves this vulnerability. Additionally, corrected versions are also being provided by several distributors. We recommend quickly deploying the corrected version after thorough testing. The corrected versions are as follows: - Apache HTTP Server 2.2.20 Apache HTTP Server Source Code Distributions http://www.apache.org/dist/httpd/ - Debian Debian Security Advisory DSA-2298-1 apache2 -- denial of service http://www.debian.org/security/2011/dsa-2298 - NetBSD NetBSD pkgsrc-Bugs archive CVS commit: [pkgsrc-2011Q2] pkgsrc/www/apache22 http://mail-index.netbsd.org/pkgsrc-changes/2011/08/30/msg059529.html For more information regarding this solution, refer to The Apache Software Foundation and distributors' websites. As of August 31, 2011, The Apache Software Foundation has not released corrected versions of Apache HTTP Server 2.0.x, so please consider applying workarounds. Support has ended for Apache HTTP Server 1.3, so please consider upgrading to 2.0/2.2 or applying workarounds. (Workaround) The Apache Software Foundation has released a workaround. However, applying the workaround may have a negative impact, so sufficient consideration to its effects should be given before applying it. For more information regarding this workaround, refer to The Apache Software Foundation advisory. Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192) http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110826103531.998348F82@minotaur.apache.org%3E IV. Result of JPCERT/CC Verification JPCERT/CC has examined the exploit code for this vulnerability. It has been confirmed that with Apache HTTP Server 2.2.20, even if the attack code is executed, it will not cause a denial of Web server services. [Verification environment] Attack target versions Apache: 2.0.64, 2.2.9, 2.2.19, 2.2.20 [Verification content] Execute attack tool and confirm behavior of each Apache version [Verification result] - Apache 2.0.64, 2.2.9 - Server itself became inoperable - Condition did not change even when attack was stopped, and denial of service continued - Apache 2.2.19 - Memory usage rose and response slowed, but Web content remained viewable - Apache 2.2.20 - No denial of service occurred V. References Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192) http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110826103531.998348F82@minotaur.apache.org%3E Apache HTTP Server 2.2.20 Released https://www.apache.org/dist/httpd/Announcement2.2.html Apache HTTP Server Source Code Distributions http://www.apache.org/dist/httpd/ Vulnerability Note VU#405811 Apache HTTPD 1.3/2.x Range header DoS vulnerability http://www.kb.cert.org/vuls/id/405811 JVNVU#405811 Denial of service vulnerability affecting Apache HTTPD servers https://jvn.jp/cert/JVNVU405811/index.html Red Hat, Inc. CVE-2011-3192 httpd: multiple ranges DoS https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3192 Apache HTTP Server 1.3.42 released (final release of 1.3.x) http://mail-archives.apache.org/mod_mbox/httpd-announce/201002.mbox/%3C20100203000334.GA19021@infiltrator.stdlib.net%3E If you have any further questions or information regarding this alert, please contact JPCERT/CC. ________ Revision history 2011-08-31 First edition 2011-09-15 Added Security ADVISORY (UPDATE 3) ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/