The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x up to and including 2.0.64, and 2.2.x up to and including 2.2.19 allows remote malicious users to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache http server |
||
opensuse opensuse 11.3 |
||
opensuse opensuse 11.4 |
||
suse linux enterprise server 10 |
||
suse linux enterprise server 11 |
||
suse linux enterprise software development kit 10 |
||
suse linux enterprise software development kit 11 |
||
canonical ubuntu linux 8.04 |
||
canonical ubuntu linux 10.04 |
||
canonical ubuntu linux 10.10 |
||
canonical ubuntu linux 11.04 |
Sysadmins shouldn't hang about with this one...
Oracle broke with tradition with the publication of an unscheduled security update last weekend. The fix – which addresses a DoS vulnerability in its Apache web server software – represents only the fifth time that Oracle has published a security fix outside the quarterly patch update batch it began at the start of 2005, net security firm Sophos notes. More specifically the patch provides an updated Apache web server, httpd, to Oracle's Fusion Middleware and Application Server products. The ...
Webmasters, mainly corporate sysadmin and dev teams, need to pay attention to today’s Oracle CPU, impacting Oracle Fusion Middleware, Oracle Application Server, and Oracle Enterprise Manager. This stuff is commonly deployed in the enterprise. Sysadmins should be aware that CVE-2011-3192 is only known to enable DoS attacks: “The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU ...
Byte range vuln exposed servers to crippling DoS exploit
Maintainers of the open-source Apache webserver have fixed a severe weakness that attackers are exploiting to crash websites. Flaws in Apache's HTTP daemon made it easy to crash servers using publicly available software released last week. The bugs in the way the HTTPD processed multiple web requests that involved overlapping byte ranges allowed attackers to overwhelm servers by sending them a modest amount of traffic. An advisory on Apache's website said the bug, formally known as CVE-2011-3192...