Two weeks after releasing a fix for the range-header denial-of-service flaw that was much-discussed on security forums and mailing lists, the Apache Software Foundation has pushed out another version of its popular Web server that includes a further fix for the same flaw.
Apache 2.2.21 has a patch for the CVE-2011-3192 vulnerability that the group previously fixed in late August with the release of version 2.2.20. The vulnerability is an old one that recently resurfaced after a researcher published an advisory on a modified version of the bug and also released a tool capable of exploiting the vulnerability.
The new version of Apache includes “further fixes to the handling of byte-range requests to use less memory, to avoid denial of service. This patch includes fixes to the patch introduced in release 2.2.20 for protocol compliance, as well as the MaxRanges directive,” the Apache statement says.
The severity and validity ofthe bug was under debate for a while on Full Disclosure and other security lists, with many people pointing out the Michal Zalewski had surfaced the same issue several years earlier. However, Apache didn’t fix the issue then, but did so last month after Kingcope published his research on a similar variant of the problem.
“This vulnerability concerns a ‘Denial of Service’ attack. This means that a remote attacker, under the right circumstances, is able to slow your service or server down to a crawl or exhausting memory available to serve requests, leaving it unable to serve legitimate clients in a timely manner. There are no indications that this leads to a remote exploit; where a third party can compromise your security and gain foothold of the server itself. The result of this vulnerability is purely one of denying service by grinding your server down to a halt and refusing additional connections to the server,” Apache’s latest advisory says.
Apache 2.2.21 also includes a fix for a second vulnerability, CVE-2011-3348, which is a separate denial-of-service flaw.