Hi, >From this disscussion
http://serverfault.com/questions/304739/is-tomcat-vulnerable-to-the-apache-dos-vulnerability-in-cve-2011-3192 I can say its may not impact tomcat. But we need to check by each of the applications, the developers may change the header parameter. ie for large files or video streaming. I will do a test to our Zimbra installation just to make sure. On Tue, Sep 6, 2011 at 9:02 PM, Helen Gao <[email protected]> wrote: > I wonder if the same defect exists in Tomcat. > > On Tue, Sep 6, 2011 at 1:20 AM, Harisfazillah Jamel > <[email protected]> wrote: >> >> Team, >> >> Apache web server need to be update. Major Linux distros already push >> the update. The exploit can be use to DDoS your apache web server >> without the need of many computers or zombies army. >> >> For any setup not yet do the patching, please follow the mitigation >> process from the link below. >> >> >> http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%[email protected]%3E >> >> ---- extract from mitigation section ---- >> >> Mitigation: >> ======= >> >> However there are several immediate options to mitigate this issue until >> a full fix is available: >> >> 1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then >> either ignore the Range: header or reject the request. >> >> Option 1: (Apache 2.0 and 2.2) >> >> # Drop the Range header when more than 5 ranges. >> # CVE-2011-3192 >> SetEnvIf Range (,.*?){5,} bad-range=1 >> RequestHeader unset Range env=bad-range >> >> # optional logging. >> CustomLog logs/range-CVE-2011-3192.log common env=bad-range >> >> Option 2: (Also for Apache 1.3) >> >> # Reject request when more than 5 ranges in the Range: header. >> # CVE-2011-3192 >> # >> RewriteEngine on >> RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) >> RewriteRule .* - [F] >> >> The number 5 is arbitrary. Several 10's should not be an issue and may >> be >> required for sites which for example serve PDFs to very high end >> eReaders >> or use things such complex http based video streaming. >> >> --------- Detail of the bug ------ >> >> Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x >> >> CVE: CVE-2011-3192: >> Date: 20110824 1600Z >> Product: Apache HTTPD Web Server >> Versions: Apache 1.3 all versions, Apache 2 all versions >> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192 >> >> The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through >> 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a >> denial of service (memory and CPU consumption) via a Range header that >> expresses multiple overlapping ranges, as exploited in the wild in >> August 2011, a different vulnerability than CVE-2007-0086. >> >> The exploit >> >> http://www.exploit-db.com/exploits/17696/ >> >> Jumpa kumpulan pakar untuk membincangkannya. Jemputan Hari Keselamatan >> ICT - OWASP Day Malaysia 2011 >> >> >> http://cikgucyber.blogspot.com/2011/09/jemputan-hari-keselamatan-ict-owasp-day.html -- Malaysia Open Source Software Conference 2011 MOSC2011 http://www.mosc.my/ Malaysia Open Source Conference 2012 (MOSC2012) http://portal.mosc.my/ LinuxMalaysia Network http://www.facebook.com/Bukan.Sekadar.Internet.Sahaja Harisfazillah Jamel _______________________________________________ OWASP-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.my OWASP Malaysia Facebook http://www.facebook.com/OWASP.Malaysia OWASP Malaysia Twitter #owaspmy http://www.twitter.com/owaspmy
