News & Media
Become a member »
» ASB-2011.0076.2 - UPDATE [Win][UNIX/Linux] Apache HT...
ASB-2011.0076.2 - UPDATE [Win][UNIX/Linux] Apache HTTPD: Denial of service - Remote/unauthenticated
16 September 2011
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2011.0076.2 Apache HTTP Server (httpd) 2.2.21 Released 16 September 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache HTTPD Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2011-3348 CVE-2011-3192 Member content until: Saturday, October 15 2011 Reference: ESB-2011.0870.2 Revision History: September 16 2011: Fixed formatting September 15 2011: Initial Release OVERVIEW Apache HTTP Server (httpd) 2.2.21 has been released fixing a denial of service vulnerability.  IMPACT The Apache Software Foundation states that the 2.2.21 release resolves the following security issues: "A flaw was found when mod_proxy_ajp is used together with mod_proxy_balancer. Given a specific configuration, a remote attacker could send certain malformed HTTP requests, putting a backend server into an error state until the retry timeout expired. This could lead to a temporary denial of service."  This update (version 2.2.21) also includes further fixes to CVE-2011-3192.  MITIGATION The Apache Software Foundation has made Apache http 2.2.21 available for download via its websites and mirrors.  REFERENCES  Fixed in Apache httpd 2.2.21 http://httpd.apache.org/security/vulnerabilities_22.html  Range header DoS vulnerability Apache HTTPD http://httpd.apache.org/security/CVE-2011-3192.txt  Downloading the Apache HTTP Server http://httpd.apache.org/download.cgi AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTnKvoO4yVqjM2NGpAQJAaBAArVvgzDLEBasV/am9uwQ+RX5wbHW0USny ONAesR+FLymmlaDTA+aJZrIdUnQrxHfZZyt+GsmWHjhbRr7KxjYxKJSps45TavbM VF+xEJCCokMMIGpErrHxSpqg1U+19+dd/S428iDzdulhrkTtLaUmJPg56LTVjUQT Ko9bbDW20ZWNN/vNOlSb+Od4s9fuEBAjHT4Gx+7RV+RngSclUvYCW1mOKU9gNKWL KoFvzZQivJKlPzO/tHfXg9fCIqj9Bhr9p8apfj805Md7/ao9YCO2O4QTiJHy3xX3 57p/arWEZHCyrYILzZG83ycW5tCZcnHc96NNsBQGeujt5EbevRn9eQIiNTp5xZpy fr3PsFNhqSAfHf269iMAGpWUw8v9pnJR2DBKYRXm3iTrL9wgyMbRjV+65FqMR1Je QN7ZfYcX9DI1DtrIC1RxDePGHRXlXV8XKCJDw9/1358JngTaLzlCkp1Xa40MXRgE me0cn//tcaNbOd2EGODTtnPkVklYx/Y1i/NZRAq5vwnSJsZcXvKUCDROCub0pTHf LKslZ820tq4UNeTNnDsJR1CY5TVnXOtxP5odw4qITTP/ThGbN/h5mQ5BkMOPfNBh +0vUEJZgvexIpwWY9mPayXHHTzynYBIQljc5W73iWZjduBw45O0UwKUs883bENJ+ hEsXrDlNpek= =pZKy -----END PGP SIGNATURE-----
Comments? Click here