Cisco Logo


Security

Recently sample code was posted publicly that exploits a denial of service vulnerability in the Apache HTTP Server. This particular vulnerability is receiving considerable industry attention given the popularity of Apache httpd and amid reports that exploitation has been seen in the wild. This vulnerability has been assigned CVE ID CVE-2011-3192 and currently scores a 7.8/6.3 using CVSS.

By combining inefficiencies inside the web server software with a protocol design peculiarity, an attacker could consume substantial server CPU and memory by issuing requests that contain many overlapping Range or Request-Range values. Successful exploitation would consume server resources to the point of starving those needed to field legitimate requests from other users.

The Apache HTTP Server team has published an advisory for the vulnerability that contains background information and possible mitigations to be used until fixed software is made available. I expect Apache will communicate fixed software availability as they typically do on their Security Vulnerabilities Page. The implementation of mitigations or evaluation of fixed software should be prioritized using an organization’s existing operational procedures. The natural tendency is to overreact when exploitation is possible in the absence of fixed software. Instead, organizations should focus operationally and invest their efforts on understanding their current situation and comparing it to established baselines.

While our Product Security Incident Response Team is evaluating the impact to our products, I wanted to share pointers to and captions from a few resources that Cisco Security Intelligence Operations has produced over the last week:

The situation for this particular vulnerability is still developing, and as such, I will add pointers to Cisco-created documentation to this post going forward. I hope you find this information helpful, and as always, we are interested in hearing your feedback. Let us know!

In an effort to keep conversations fresh, Cisco Blogs closes comments after 90 days. Please visit the Cisco Blogs hub page for the latest content.

1 Comments.


  1. Looks like the Apache Software Foundation has released Apache 2.2.20, which addresses CVE-2011-3192 – more here http://www.apache.org/dist/httpd/Announcement2.2.html

       0 likes

  1. Return to Countries/Regions
  2. Return to Home
  1. All Security
  2. All Security
  3. Return to Home