* Updated with Rudigers comments. * Do we have consensus that the deflate stuff needs to go out - is not relevant ?
* More Comments please. Esp. on the quality and realisticness of the mitigtions. Thanks, Title: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 Date: 20110824 1600Z # Last Updated: 20110824 1600Z Product: Apache Web Server Versions: Apache 1.3 all versions, Apache 2 all versions Description: ------------ A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by apache (http://seclists.org/fulldisclosure/2011/Aug/175). It most commonly manifests itself when static content is made available with compression on the fly through mod_deflate - but other modules which buffer and/or generate content in-memory are likely to be affected as well. This is a very common (the default right!?) configuration. The attack can be done remotely and with a modest number of requests leads to very significant memory and CPU usage. Active use of this tools has been observed in the wild. There is currently no patch/new version of apache which fixes this vulnerability. This advisory will be updated when a long term fix is available. A fix is expected in the next 96 hours. Mitigation: ------------ However are several immediate options to mitigate this issue until that time: 1) Use mod_headers to dis-allow the use of Range headers: RequestHeader unset Range Note that this may break certain clients - such as those used for e-Readers and progressive/http-streaming video. 2) Use mod_rewrite to limit the number of ranges: RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$ RewriteRule .* - [F] 3) Limit the size of the request field to a few hundred bytes. Note that while this keeps the offending Range header short - it may break other headers; such as sizable cookies or security fields. LimitRequestFieldSize 200 Note that as the attack evolves in the field you are likely to have to further limit this and/or impose other LimitRequestFields limits. See: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize 3) Deploy a Range header count module as a temporary stopgap measure: http://people.apache.org/~dirkx/mod_rangecnt.c 4) If your server (only) server static content then disable compression-on-the-fly by: 1) removing mod_deflate as a loaded module and/or by removing any AddOutputFilterByType/SetOutputFilter DEFLATE entries. 2) Disable it with "BrowserMatch .* no-gzip" See: http://httpd.apache.org/docs/2.0/mod/mod_deflate.html http://httpd.apache.org/docs/2.2/mod/mod_deflate.html 5) Apply any of the current patches under discussion - such as: http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3ccaapsnn2po-d-c4nqt_tes2rrwizr7urefhtkpwbc1b+k1dq...@mail.gmail.com%3e Actions: -------- Apache HTTPD users are advised to investigate wether they are vulnerable (e.g. allow Range headers and use mod_deflate) and consider implementing any of the above mitigations. Planning: -------- This advisory will be updated when a fix/patch or new release is available. A patch or new apache release for Apache 2.0 and 2.2 is expected in the next 96 hours. Note that, while popular, Apache 1.3 is deprecated.