Apache httpd Remote Denial of Service

Description

A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server:

http://seclists.org/fulldisclosure/2011/Aug/175

An attack tool is circulating in the wild. Active use of this tools has been observed. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server.

This alert was generated using only banner information. It may be a false positive.


Affected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19).

ShareShare on FacebookTweet about this on TwitterShare on Google+

Impact
Remote Denial of Service

Recommendation
Upgrade to the latest version of Apache HTTP Server (2.2.20 or later), available from the Apache HTTP Server Project Web site.

References
CVE-2011-3192
Apache HTTPD Security ADVISORY
Apache HTTP Server 2.2.20 Released
Apache httpd Remote Denial of Service (memory exhaustion)