Apache HTTP Server byte-range filter denial of service
| apache-byterange-dos (22006) |  Medium Risk |
Description:
Apache HTTP Server is vulnerable to a denial of service attack caused by a vulnerability in the byte-range filter. A remote attacker could send a specially-crafted request containing the HTTP Range header to consume large amounts of memory on the system.
Consequences:
Denial of Service
Remedy:
Upgrade to the latest version of Apache HTTP Server (2.0.54 r9 or later), available from the Apache Web site. See References.
For Gentoo Linux:
Upgrade to the latest version of apache (2.0.54-r9 or 2.0 or later), as listed in Gentoo Linux Security
Advisory GLSA 200508-15. See References.
For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest version of Apache (2.0.54-5 1 or later), as listed in DSA-805-1. See References.
For Red Hat Linux:
Upgrade to the latest OpenSSL package, as listed below. Refer to RHSA-2005:608-7 for more information. See References.
Red Hat Desktop 3.0: httpd-2.0.46-46.3.ent.src.rpm or later, httpd-2.0.46-46.3.ent.i386.rpm or later, and httpd-2.0.46-46.3.ent.x86_64.rpm or later.
Red Hat Desktop 4.0: httpd-2.0.52-12.2.ent.src.rpm or later, httpd-2.0.52-12.2.ent.i386.rpm or later, and httpd-2.0.52-12.2.ent.x86_64.rpm or later.
Red Hat AS, ES, WS (v.3): httpd-2.0.46-46.3.ent.src.rpm or later, httpd-2.0.46-46.3.ent.i386.rpm or later, httpd-2.0.46-46.3.ent.ia64.rpm or later, and httpd-2.0.46-46.3.ent.x86_64.rpm and later.
Red Hat AS, ES, WS (v. 4): httpd-2.0.52-12.2.ent.src.rpm or later, httpd-2.0.52-12.2.ent.i386.rpm or later, httpd-2.0.52-12.2.ent.ia64.rpm or later, httpd-2.0.52-12.2.ent.ppc.rpm or later, httpd-2.0.52-12.2.ent.s390.rpm or later, httpd-2.0.52-12.2.ent.s390x.rpm or later, and httpd-2.0.52-12.2.ent.x86_64.rpm or later.
For SUSE Linux:
Upgrade to the latest version of apache2, as listed below. Refer to SUSE Security Announcement SUSE-SA:2005:051. See References.
X86 platform:
SUSE Linux 9.3: 2.0.53-9.5 or later
SUSE Linux 9.2: 2.0.50-7.7 or later
SUSE Linux 9.1: 2.0.49-27 or later
SUSE Linux 9.0: 2.0.48-155 or later
x86-64 platform:
SUSE Linux 9.3: 2.0.53-9.5 or later
SUSE Linux 9.2: 2.0.50-7.7 or later
SUSE Linux 9.1::2.0.49-27.34 or later
SUSE Linux 9.0: 2.0.48-155 or later
For HP-UX:
Apply the appropriate fix, as listed in Neohapsis BugTraq Message #0217 SSRT051251. See References.
For Ubuntu Linux:
Refer to USN-177-1 for patch, upgrade, or suggested workaround information. See References.
For SUSE Linux:
Refer to SUSE Security Announcement SUSE-SA:2005:052 for patch, upgrade, or suggested workaround information. See References.
For other distributions:
Apply the appropriate update for your system. See References.
References:
- Apache Web site: Welcome! - The Apache HTTP Server Project.
- ASF Bugzilla Bug 29962: byterange filter buffers response in memory.
- CIAC INFORMATION BULLETIN P-301: httpd Security Update.
- IBM Systems Support Web site: Support for HMC.
- Neohapsis BugTraq Message #0217 SSRT051251: Apache-based Web Server on HP-UX mod_ssl, proxy_http, Remote Execution of Arbitrary Code, Denial of Service (DoS), and Unauthorized Access.
- SGI Security Advisory 2005090101-U: SGI Advanced Linux Environment 3 Security Update #46.
- ASA-2006-023: Apache-based Web Server on HP-UX (HPSBUX02074)
- BID-14660: Apache CGI Byterange Request Denial of Service Vulnerability
- CVE-2005-2728: The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.
- DSA-805: apache2 -- several vulnerabilities
- GLSA-200508-15: Apache 2.0: Denial of Service vulnerability
- MDKSA-2005:161: Updated apache2 packages to address multiple vulnerabilities
- RHSA-2005-608: httpd security update
- SA16559: Apache Byte-Range Filter and MPM Worker Denial of Service Vulnerabilities
- SA16956: Avaya Products httpd/mod_ssl Vulnerabilities
- SA17036: IBM HTTP Server PCRE and Byte-Range Filter Vulnerabilities
- SA17600: HP-UX / HP Virtualvault Apache Multiple Vulnerabilities
- SA19072: Sun Solaris Multiple Apache2 Vulnerabilities
- SUSE-SA:2005:052: apache2: local command execution authentication bypass memory consumption
Platforms Affected:
- Apache HTTP Server 2.0
- Apache HTTP Server 2.0.28
- Apache HTTP Server 2.0.28 Beta
- Apache HTTP Server 2.0.32
- Apache HTTP Server 2.0.35
- Apache HTTP Server 2.0.36
- Apache HTTP Server 2.0.37
- Apache HTTP Server 2.0.38
- Apache HTTP Server 2.0.39
- Apache HTTP Server 2.0.40
- Apache HTTP Server 2.0.41
- Apache HTTP Server 2.0.42
- Apache HTTP Server 2.0.43
- Apache HTTP Server 2.0.44
- Apache HTTP Server 2.0.45
- Apache HTTP Server 2.0.46
- Apache HTTP Server 2.0.47
- Apache HTTP Server 2.0.48
- Apache HTTP Server 2.0.49
- Apache HTTP Server 2.0.50
- Apache HTTP Server 2.0.51
- Apache HTTP Server 2.0.52
- Apache HTTP Server 2.0.53
- Apache HTTP Server 2.0.9A
- Canonical Ubuntu 4.10
- Canonical Ubuntu 5.04
- Debian Debian Linux 3.1
- Gentoo Linux
- MandrakeSoft Mandrake Linux 10.0
- MandrakeSoft Mandrake Linux 10.0 AMD64
- MandrakeSoft Mandrake Linux 10.1
- MandrakeSoft Mandrake Linux 10.1 X86_64
- MandrakeSoft Mandrake Linux LE2005 X86_64
- MandrakeSoft Mandrake Linux LE2005
- MandrakeSoft Mandrake Linux Corporate Server 3.0
- MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
- MandrakeSoft Mandrake Multi Network Firewall 2.0
- Novell Open Enterprise 9 Server
- Novell Open Enterprise Server
- Novell Open Enterprise Server
- RedHat Enterprise Linux 3 ES
- RedHat Enterprise Linux 3 AS
- RedHat Enterprise Linux 3 Desktop
- RedHat Enterprise Linux 3 WS
- RedHat Enterprise Linux 4 AS
- RedHat Enterprise Linux 4 ES
- RedHat Enterprise Linux 4 Desktop
- RedHat Enterprise Linux 4 WS
- RedHat Enterprise Linux AS
- SuSE Linux Enterprise Server 8
- SUSE SuSE Linux 9.0
- SUSE SuSE Linux 9.1
- SUSE SuSE Linux 9.2
- SUSE SuSE Linux 9.3
- SuSE SuSE Open Enterprise Server 9
- SuSE SuSE SLES 9
- Turbolinux Turbolinux 10 Desktop
- Turbolinux Turbolinux 10 F...
- Turbolinux Turbolinux 10 Server
- Turbolinux Turbolinux 7 Server
- Turbolinux Turbolinux 7 Workstation
- Turbolinux Turbolinux 8 Server
- Turbolinux Turbolinux 8 Workstation
- Turbolinux Turbolinux Home
- Turbolinux Turbolinux Multimedia
- Turbolinux Turbolinux Personal
Reported:
Aug 25, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net