The Apache Software Foundation plans to have a fix available in the next day or so for the denial-of-service problem in Apache that was publicized late last week. The bug, which in some forms has been under discussion for more than four years, involves the way that the Web server handles certain overlapping range headers.
The vulnerability is a denial-of-service bug, but it is considered serious because a remote attacker can essentially take a targeted server offline with little effort and resources. The Apache Software Foundation, which maintains the popular open-source Web server, updated its advisory on the vulnerability, saying that it expects to have a full fix available for the vulnerability within the next 24 hours.
“In addition to the ‘Range’ header – the ‘Range-Request’ header is equally
affected. Furthermore various vendor updates, improved regexes (speed and
accommodating a different and new attack pattern),” Apache said in the advisory. “The default Apache HTTPD installation is vulnerable.
There is currently no patch/new version of Apache HTTPD which fixes this
vulnerability.”
There is a publicly available attack tool circulating online and researchers say that they’ve seen attacks using the tool in the last few days. There are a two separate pieces to the Web server problem that Apache is addressing right now. One of them is specific to Apache–the way that the server handles multiple requests of a specific kind.
“This advisory details a problem with how Apache httpd and its so called
internal ‘bucket brigades’ deal with serving such “valid” request. The
problem is that currently such requests internally explode into 100’s of
large fetches, all of which are kept in memory in an inefficient way. This
is being addressed in two ways. By making things more efficient. And by
weeding out or simplifying requests deemed too unwieldy,” the Apache advisory says.
The other part of the problem is an issue with the HTTP protocol itself, which requires Web servers to respond to range requests in the order in which they’re received. When those replies overlap, it can cause a denial-of-service issue. The IETF is looking at ways to fix the range header issue, as well.