Apache HTTP Server byte-range filter denial of service
| apache-byterange-dos (22006) |  Low Risk |
Description:
Apache HTTP Server is vulnerable to a denial of service attack caused by a vulnerability in the byte-range filter. A remote attacker could send a specially-crafted request containing the HTTP Range header to consume large amounts of memory on the system.
Platforms Affected:
- Apache, HTTP Server 2.0
- Apache, HTTP Server 2.0.28
- Apache, HTTP Server 2.0.28 Beta
- Apache, HTTP Server 2.0.32
- Apache, HTTP Server 2.0.35
- Apache, HTTP Server 2.0.36
- Apache, HTTP Server 2.0.37
- Apache, HTTP Server 2.0.38
- Apache, HTTP Server 2.0.39
- Apache, HTTP Server 2.0.40
- Apache, HTTP Server 2.0.41
- Apache, HTTP Server 2.0.42
- Apache, HTTP Server 2.0.43
- Apache, HTTP Server 2.0.44
- Apache, HTTP Server 2.0.45
- Apache, HTTP Server 2.0.46
- Apache, HTTP Server 2.0.47
- Apache, HTTP Server 2.0.48
- Apache, HTTP Server 2.0.49
- Apache, HTTP Server 2.0.50
- Apache, HTTP Server 2.0.51
- Apache, HTTP Server 2.0.52
- Apache, HTTP Server 2.0.53
- Apache, HTTP Server 2.0.9A
- Canonical, Ubuntu 4.10
- Canonical, Ubuntu 5.04
- Debian, Debian Linux 3.1
- Gentoo, Linux
- MandrakeSoft, Mandrake Linux 10.0
- MandrakeSoft, Mandrake Linux 10.0 AMD64
- MandrakeSoft, Mandrake Linux 10.1 X86_64
- MandrakeSoft, Mandrake Linux 10.1
- MandrakeSoft, Mandrake Linux LE2005
- MandrakeSoft, Mandrake Linux LE2005 X86_64
- MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
- MandrakeSoft, Mandrake Linux Corporate Server 3.0
- MandrakeSoft, Mandrake Multi Network Firewall 2.0
- Novell, Open Enterprise 9 Server
- Novell, Open Enterprise Server
- Novell, Open Enterprise Server
- RedHat, Enterprise Linux 3 Desktop
- RedHat, Enterprise Linux 3 ES
- RedHat, Enterprise Linux 3 WS
- RedHat, Enterprise Linux 3 AS
- RedHat, Enterprise Linux 4 Desktop
- RedHat, Enterprise Linux 4 WS
- RedHat, Enterprise Linux 4 ES
- RedHat, Enterprise Linux 4 AS
- RedHat, Enterprise Linux AS
- SuSE, Linux Enterprise Server 8
- SuSE, SuSE Linux 9.0
- SuSE, SuSE Linux 9.1
- SuSE, SuSE Linux 9.2
- SuSE, SuSE Linux 9.3
- SuSE, SuSE Open Enterprise Server 9
- SuSE, SuSE SLES 9
- Turbolinux, Turbolinux 10 Desktop
- Turbolinux, Turbolinux 10 F...
- Turbolinux, Turbolinux 10 Server
- Turbolinux, Turbolinux 7 Server
- Turbolinux, Turbolinux 7 Workstation
- Turbolinux, Turbolinux 8 Server
- Turbolinux, Turbolinux 8 Workstation
- Turbolinux, Turbolinux Home
- Turbolinux, Turbolinux Multimedia
- Turbolinux, Turbolinux Personal
Remedy:
Upgrade to the latest version of Apache HTTP Server (2.0.54 r9 or later), available from the Apache Web site. See References.
For Gentoo Linux:
Upgrade to the latest version of apache (2.0.54-r9 or 2.0 or later), as listed in Gentoo Linux Security
Advisory GLSA 200508-15. See References.
For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest version of Apache (2.0.54-5 1 or later), as listed in DSA-805-1. See References.
For Red Hat Linux:
Upgrade to the latest OpenSSL package, as listed below. Refer to RHSA-2005:608-7 for more information. See References.
Red Hat Desktop 3.0: httpd-2.0.46-46.3.ent.src.rpm or later, httpd-2.0.46-46.3.ent.i386.rpm or later, and httpd-2.0.46-46.3.ent.x86_64.rpm or later.
Red Hat Desktop 4.0: httpd-2.0.52-12.2.ent.src.rpm or later, httpd-2.0.52-12.2.ent.i386.rpm or later, and httpd-2.0.52-12.2.ent.x86_64.rpm or later.
Red Hat AS, ES, WS (v.3): httpd-2.0.46-46.3.ent.src.rpm or later, httpd-2.0.46-46.3.ent.i386.rpm or later, httpd-2.0.46-46.3.ent.ia64.rpm or later, and httpd-2.0.46-46.3.ent.x86_64.rpm and later.
Red Hat AS, ES, WS (v. 4): httpd-2.0.52-12.2.ent.src.rpm or later, httpd-2.0.52-12.2.ent.i386.rpm or later, httpd-2.0.52-12.2.ent.ia64.rpm or later, httpd-2.0.52-12.2.ent.ppc.rpm or later, httpd-2.0.52-12.2.ent.s390.rpm or later, httpd-2.0.52-12.2.ent.s390x.rpm or later, and httpd-2.0.52-12.2.ent.x86_64.rpm or later.
For SUSE Linux:
Upgrade to the latest version of apache2, as listed below. Refer to SUSE Security Announcement SUSE-SA:2005:051. See References.
X86 platform:
SUSE Linux 9.3: 2.0.53-9.5 or later
SUSE Linux 9.2: 2.0.50-7.7 or later
SUSE Linux 9.1: 2.0.49-27 or later
SUSE Linux 9.0: 2.0.48-155 or later
x86-64 platform:
SUSE Linux 9.3: 2.0.53-9.5 or later
SUSE Linux 9.2: 2.0.50-7.7 or later
SUSE Linux 9.1::2.0.49-27.34 or later
SUSE Linux 9.0: 2.0.48-155 or later
For HP-UX:
Apply the appropriate fix, as listed in Neohapsis BugTraq Message #0217 SSRT051251. See References.
For Ubuntu Linux:
Refer to USN-177-1 for patch, upgrade, or suggested workaround information. See References.
For SUSE Linux:
Refer to SUSE Security Announcement SUSE-SA:2005:052 for patch, upgrade, or suggested workaround information. See References.
For other distributions:
Apply the appropriate update for your system. See References.
Consequences:
Denial of Service
References:
- Apache Web site, Welcome! - The Apache HTTP Server Project at http://httpd.apache.org/.
- ASF Bugzilla Bug 29962, byterange filter buffers response in memory at http://issues.apache.org/bugzilla/show_bug.cgi?id=29962.
- CIAC INFORMATION BULLETIN P-301, httpd Security Update at http://www.ciac.org/ciac/bulletins/p-301.shtml.
- IBM Systems Support Web site, Support for HMC at https://www14.software.ibm.com/webapp/set2/sas/f/hmc/power5/install/v61.Readme.html#MH01110.
- Neohapsis BugTraq Message #0217 SSRT051251, Apache-based Web Server on HP-UX mod_ssl, proxy_http, Remote Execution of Arbitrary Code, Denial of Service (DoS), and Unauthorized Access at http://archives.neohapsis.com/archives/bugtraq/2005-11/0217.html.
- SGI Security Advisory 2005090101-U, SGI Advanced Linux Environment 3 Security Update #46 at ftp://patches.sgi.com/support/free/security/advisories/20050901-01-U.asc.
- ASA-2006-023: Apache-based Web Server on HP-UX (HPSBUX02074)
- BID-14660: Apache CGI Byterange Request Denial of Service Vulnerability
- CVE-2005-2728: The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.
- DSA-805: apache2 -- several vulnerabilities
- GLSA-200508-15: Apache 2.0: Denial of Service vulnerability
- MDKSA-2005:161: Updated apache2 packages to address multiple vulnerabilities
- RHSA-2005-608: httpd security update
- SA16559: Apache Byte-Range Filter and MPM Worker Denial of Service Vulnerabilities
- SA16956: Avaya Products httpd/mod_ssl Vulnerabilities
- SA17036: IBM HTTP Server PCRE and Byte-Range Filter Vulnerabilities
- SA17600: HP-UX / HP Virtualvault Apache Multiple Vulnerabilities
- SA19072: Sun Solaris Multiple Apache2 Vulnerabilities
- SUSE-SA:2005:052: apache2: local command execution authentication bypass memory consumption
Reported:
Aug 25, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net