I wonder if the same defect exists in Tomcat. On Tue, Sep 6, 2011 at 1:20 AM, Harisfazillah Jamel <[email protected] > wrote:
> Team, > > Apache web server need to be update. Major Linux distros already push > the update. The exploit can be use to DDoS your apache web server > without the need of many computers or zombies army. > > For any setup not yet do the patching, please follow the mitigation > process from the link below. > > > http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%[email protected]%3E > > ---- extract from mitigation section ---- > > Mitigation: > ======= > > However there are several immediate options to mitigate this issue until > a full fix is available: > > 1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then > either ignore the Range: header or reject the request. > > Option 1: (Apache 2.0 and 2.2) > > # Drop the Range header when more than 5 ranges. > # CVE-2011-3192 > SetEnvIf Range (,.*?){5,} bad-range=1 > RequestHeader unset Range env=bad-range > > # optional logging. > CustomLog logs/range-CVE-2011-3192.log common env=bad-range > > Option 2: (Also for Apache 1.3) > > # Reject request when more than 5 ranges in the Range: header. > # CVE-2011-3192 > # > RewriteEngine on > RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) > RewriteRule .* - [F] > > The number 5 is arbitrary. Several 10's should not be an issue and may be > required for sites which for example serve PDFs to very high end eReaders > or use things such complex http based video streaming. > > --------- Detail of the bug ------ > > Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x > > CVE: CVE-2011-3192: > Date: 20110824 1600Z > Product: Apache HTTPD Web Server > Versions: Apache 1.3 all versions, Apache 2 all versions > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192 > > The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through > 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a > denial of service (memory and CPU consumption) via a Range header that > expresses multiple overlapping ranges, as exploited in the wild in > August 2011, a different vulnerability than CVE-2007-0086. > > The exploit > > http://www.exploit-db.com/exploits/17696/ > > Jumpa kumpulan pakar untuk membincangkannya. Jemputan Hari Keselamatan > ICT - OWASP Day Malaysia 2011 > > > http://cikgucyber.blogspot.com/2011/09/jemputan-hari-keselamatan-ict-owasp-day.html > _______________________________________________ > OWASP-Malaysia mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-malaysia > > OWASP Malaysia Wiki > http://www.owasp.my > > OWASP Malaysia Facebook > http://www.facebook.com/OWASP.Malaysia > > OWASP Malaysia Twitter #owaspmy > http://www.twitter.com/owaspmy >
_______________________________________________ OWASP-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.my OWASP Malaysia Facebook http://www.facebook.com/OWASP.Malaysia OWASP Malaysia Twitter #owaspmy http://www.twitter.com/owaspmy
