| |
| Threat Type: | CWE-399: Resource Management Errors |
|
| IntelliShield ID: | 24004 |
| Version: | 25 |
| First Published: | 2011 August 25 13:38 GMT |
| Last Published: | 2012 October 10 14:21 GMT |
| Vector: | Network |
| Authentication: | None |
| Exploit: | Proof-of-Concept |
| Port: |
Not Available
|
| CVE: | CVE-2011-3192 |
| BugTraq ID: | 49303 |
|
| Urgency: |
Unlikely Use
|  |
| Credibility: |
Confirmed
|  |
| Severity: |
Mild Damage
|  |
| CVSS Base: | 7.8 |
CVSS Calculator
CVSS Version 2
|
| CVSS Temporal: | 6.1 |
|
|
| |
| Version Summary: | HP has released an additional security bulletin and updated software to address the Apache HTTP Server overlapping ranges denial of service vulnerability. |
| |
| |
| Description |
|
Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability is due to improper processing of certain user-supplied requests by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted requests to the system. Processing such requests could cause the application to consume excessive memory, resulting in a DoS condition on the system.
Proof-of-concept exploit code is publicly available.
Apache has confirmed this vulnerability and updated software is available. |
| |
| Warning Indicators |
|
| Apache HTTP Server versions 2.2.19 and prior are vulnerable. |
| |
| IntelliShield Analysis |
|
| To exploit this vulnerability, the attacker must send crafted requests to the system. Depending on the network configuration, the attacker may need access to trusted, internal networks. This access requirement decreases the likelihood of a successful exploit. |
| |
 Vendor Announcements |
|
Apache has released security advisories at the following links: CVE-2011-3192 and CVE-2011-3192 (UPDATE 2)
Apple has released a security update at the following link: OS X Lion v10.7.2 and Security Update 2011-006
Cisco has re-released a security advisory at the following link: cisco-sa-20110830-apache
FreeBSD has released a VuXML document at the following link: apache -- Range header DoS vulnerability
Hitachi has released a security advisory at the following link: HS11-019
HP has released security bulletins c02997184, c03025215, c03011498, c03280632, c03285138, and c03517954 at the following links: HPSBUX02702 SSRT100606, HPSBUX02707 SSRT100626, HPSBMU02704 SSRT100619, HPSBMU02764 SSRT100827, HPSBMU02766 SSRT100624, and HPSBOV02822 SSRT100966
IBM has released a flash alert at the following link: swg21512087
MontaVista Software has released a security alert for registered users on December 21, 2011, at the following link: MontaVista Security Fixes
Oracle has released security advisories at the following links: Oracle Security Alert for CVE-2011-3192, CVE-2011-3192, Oracle Security Blog for CVE-2011-3192, and Oracle Critical Patch Update - January 2012
Novell has released a technical information document at the following link: 7009621
Red Hat has released security advisories at the following links: RHSA-2011:1245, RHSA-2011:1294, RHSA-2011:1300, RHSA-2011:1329, RHSA-2011:1330, and RHSA-2011:1369
US-CERT has released a vulnerability note at the following link: VU#405811 |
|
| |
| Impact |
|
| An unauthenticated, remote attacker could exploit this vulnerability to terminate the affected software unexpectedly, resulting in a DoS condition. |
| |
| Technical Information |
|
The vulnerability is due to improper handling of Range and gzip Accept-Encoding headers while processing user-supplied requests by the affected software. The vulnerable software uses these range requests to perform bandwidth optimization, allowing a client to request only the interesting parts rather than a complete resource.
An unauthenticated, remote attacker could exploit this vulnerability by sending crafted requests that consist of overlapping ranges to the system. Processing such requests could cause the application to compress each of the requested bytes, resulting in excessive memory consumption. A successful exploit could terminate the affected software unexpectedly, resulting in a DoS condition. |
| |
| Safeguards |
|
Administrators are advised to contact the vendor regarding future updates and releases.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators may consider filtering requests that contain abusive HTTP Range: or Request-Range: header values.
Administrators are advised to monitor affected systems.
The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: cisco-amb-20110830-apache |
| |
| Patches/Software |
|
Apache has released updated software at the following links:
Apache HTTP Server 2.2.21
Apple has released updated software at the following links:
Apple Mac OS X and Mac OS X Server 10.6.8:
Mac OS X 10.6.8
Mac OS X Server 10.6.8
Apple Mac OS X and Mac OS X Server 10.7.2:
Mac OS X Lion 10.7.2
Mac OS X Lion Server 10.7.2
CentOS packages can be updated using the up2date or yum command.
Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com.
FreeBSD releases ports collection updates at the following link: Ports Collection Index
Hitachi customers should contact their support representatives to obtain updates.
HP has released software updates at the following links:
Onboard Administrator (OA) v3.55
HP-UX Web Server Suite (WSS) v3.18
HP-UX Web Server Suite (WSS) v3.19
HP-UX Web Server Suite (WSS) v2.33
HP-UX Web Server Suite (WSS) v2.34
HP System Management Homepage (SMH) 7.0
HP OpenView Network Node Manager (OV NNM) v7.53
HP Secure Web Server for OpenVMS V2.2 Update 2
IBM has released a fix at the following link: IBM
MontaVista Software has released updated software for registered users at the following links:
Pro 4.0.1
CGE 4.0.1
Mobilinux 4.1
Mobilinux 4.0.2
Oracle has released patches for registered users at the following links:
SPARC
Solaris 10 with patch 120543-24 or later
Intel
Solaris 10 with patch 120544-24 or later
Oracle has released patches for registered users at the following link: Oracle
Oracle has released patches for registered users at the following links: Oracle Supply Chain Product Suite
Red Hat packages can be updated using the up2date or yum command. |
|
| Signatures |
| |
|
|
|
|
| |
| Alert History |
| |
Version 24, April 18, 2012, 2:20 PM: HP has released an additional security bulletin and updated software to address the Apache HTTP Server overlapping ranges denial of service vulnerability.
Version 23, April 17, 2012, 5:36 PM: HP has released an additional security bulletin and updated software to address the Apache HTTP Server overlapping ranges denial of service vulnerability.
Version 22, January 24, 2012, 10:37 AM: Cisco has re-released a security advisory and updated software to address the Apache HTTP Server overlapping ranges denial of service vulnerability.
Version 21, January 19, 2011, 4:35 PM: Oracle has released security advisories and patches to address the Apache HTTP Server overlapping ranges denial of service vulnerability.
Version 20, January 11, 2012, 9:39 AM: MontaVista has released a security alert and updated software to address the Apache HTTP Server overlapping ranges denial of service vulnerability.
Version 19, January 3, 2012, 4:55 PM: Hitachi has released a security advisory and updated packages to address the Apache HTTP Server overlapping ranges denial of service vulnerability.
Version, 18, November 15, 2011, 10:59 AM: Oracle has released a security advisory and patches to address the Apache HTTP Server overlapping ranges denial of service vulnerability.
Version 17, November 4, 2011, 8:14 AM: HP has released an additional security bulletin and updated software to address the Apache HTTP Server overlapping ranges denial of service vulnerability.
Version 16, October 28, 2011, 8:40 AM: HP has re-released security bulletins and updated software to address the Apache HTTP Server overlapping ranges denial of service vulnerability.
Version 15, October 26, 2011, 9:35 AM: Novell has released a technical information document to address the Apache HTTP Server overlapping ranges denial of service vulnerability.
Version 14, October 15, 2011, 9:02 PM: Red Hat has released an additional security advisory and updated packages to address the Apache HTTP Server overlapping ranges denial of service vulnerability.
Version 13, October 13, 2011, 12:46 PM: Apple has released a security update and updated software to address the Apache HTTP Server overlapping ranges denial of service vulnerability.
Version 12, September 29, 2011, 11:27 AM: Red Hat has released an additional security advisory and updated packages to address the Apache HTTP Server overlapping ranges denial of service vulnerability. Oracle and HP have also released updates to address this vulnerability.
Version 11, September 16, 2011, 2:15 PM: Oracle has released a security advisory and patches to address the Apache HTTP Server overlapping ranges denial of service vulnerability. Red Hat has also released an additional security advisory and updated software to address this vulnerability.
Version 10, September 15, 2011, 10:45 AM: Cisco has re-released a security advisory and updated software to address the Apache HTTP Server overlapping ranges denial of service vulnerability. Red Hat has also released an additional security advisory and updated software to address this vulnerability.
Version 9, September 14, 2011, 10:46 AM: Apache has released an additional security advisory and updated software to address the HTTP Server overlapping ranges denial of service vulnerability.
Version 8, September 9, 2011, 5:36 PM: HP has released a security bulletin and updated software to address the Apache HTTP Server overlapping ranges denial of service vulnerability.
Version 7, September 7, 2011, 9:20 AM: Cisco has re-released a security advisory and updated software to address the Apache HTTP Server overlapping ranges denial of service vulnerability.
Version 6, September 2, 2011, 11:59 AM: Cisco has re-released a security advisory and updated software to address the Apache HTTP Server overlapping ranges denial of service vulnerability. CentOS and IBM have also released security advisories and updated software to address this vulnerability.
Version 5, September 1, 2011, 8:35 AM: Red Hat has released a security advisory and updated packages to address the Apache HTTP Server overlapping ranges denial of service vulnerability.
Version 4, August 31, 2011, 1:49 PM: Apache has released updated software to address the HTTP Server overlapping ranges denial of service vulnerability.
Version 3, August 30, 2011, 11:42 AM: Cisco and FreeBSD have released security advisories and software updates to address the Apache HTTP Server overlapping ranges denial of service vulnerability.
Version 2, August 26, 2011, 2:27 PM: Apache has released an additional security advisory with workarounds to address the HTTP Server overlapping ranges denial of service vulnerability.
Version 1, August 25, 2011, 8:38 AM: Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are not available.
|
|
Product Sets |
| |
The security vulnerability applies to the following combinations of products.
| Associated Products: |
| Apple | Mac OS X | 10.6 Intel, PPC | 10.6.1 Intel, PPC | 10.6.2 Base | 10.6.3 Base | 10.6.4 Base | 10.6.5 Base | 10.6.6 Base | 10.6.7 Base | 10.7 Base | 10.7.1 Base |
| Apple | Mac OS X Server | 10.6 Intel, PPC | 10.6.1 Intel, PPC | 10.6.2 Base | 10.6.3 Base | 10.6.4 Base | 10.6.5 Base | 10.6.6 Base | 10.6.7 Base | 10.7 Base | 10.7.1 Base |
| CentOS Project | CentOS | 4 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64, .3 i386, .3 x86_64, .4 i386, .4 x86_64, .5 i386, .5 x86_64, .6 i386, .6 x86_64, .7 i386, .7 x86_64 |
| Cisco | Cisco MDS 9000 NX-OS Software | 2.1 Base | 3.0 Base | 3.2 Base | 4.1 Base | 4.2 Base |
| Cisco | Cisco Mobility Services Engine | 5.1 Base | 5.2 Base | 6.0 Base | 7.0 Base |
| Cisco | Cisco Network Asset Collector | 1 .2, Base |
| Cisco | Cisco NX-OS Software | 4.0 (1), (1a), (1a)E1(1), (4)SV1(1), (4)SV1(2), (4)SV1(3), (4)SV1(3a), (4)SV1(3b), (4)SV1(3c), Base | 4.1 (2)E1(1), (5), .(2), .(3), .(4) |
| Cisco | Cisco Quad | 2.0 Base |
| Cisco | Cisco Security Agent | 6.0 .2.151 |
| Cisco | Cisco Telepresence | 1.1 .1 | 1.2 .0, .1, .2 | 1.3 .2, Base | 1.6 .0, .2, .3, .4, .5, .6, .7, .8 | 1.7 .0, .1, .2 |
| Cisco | Cisco Video Surveillance Operations Manager Softwa | 3.0 .0 | 3.1 .0, .1 | 4.0 .0 | 4.1 .0, .1 | 4.2 .0 |
| Cisco | Cisco Wide Area Application Services (WAAS) | 4.4 .3a |
| Cisco | Cisco Wireless Control System (WCS) Software | 4.0 .1.0, .43.0, .66.0, .81.0, .87.0, .96.0, .97.0, Base | 4.1 .83.0, .91.0, Base | 4.2 .62.0, .62.11, Base | 6.0 Base |
| Cisco | CiscoWorks Common Services (CS) | 1.0 Base | 2.2 Base | 2.3 Base | 3.0 .3, .4, .5, .6, Base | 3.1 .1, Base | 3.2 Base | 3.3 Base |
| Cisco | CiscoWorks LAN Management Solution (LMS) | 1.0 Base | 1.1 Base | 1.2 Base | 1.3 Base | 2.0 Base | 2.1 Base | 2.2 Base | 2.5 .1, Base | 2.6 Base | 3.0 .1, Base | 3.1 Base | 3.2 Base | 4.0 Base |
| FreeBSD Project | FreeBSD | 7.2 Base | 7.3 Base | 7.4 Base | 8.0 Base | 8.1 Base |
| Hitachi, Ltd. | Hitachi Web Server (AIX) | 03-00 -01, -02, -03, -04, -05, Base | 03-10 -01, -02, -03, -04, -05, -06, -07, -08, -09, Base | 04-00 -01, -02, Base | 04-10 -01, -02, -03, -04, -05, Base |
| Hitachi, Ltd. | Hitachi Web Server (HP-UX) | 03-00 -01, Base |
| Hitachi, Ltd. | Hitachi Web Server (HP-UX IPF) | 03-00 -01, -02, -03, -04, -05, Base | 03-10 -01, -02, -03, -04, -05, -06, -07, -08, -09, Base | 04-00 -01, -02, -03, -04, Base | 04-10 -01, -02, Base | 04-20 Base |
| Hitachi, Ltd. | Hitachi Web Server (Linux) | 03-00 -01, -02, -03, -04, -05, -06, Base | 03-10 -01, -02, -03, -04, -05, -06, -07, -08, -09, Base | 04-00 -01, -02, -03, -04, -05, Base | 04-10 -01, -02, -03, -04, -05 | 04-20 Base |
| Hitachi, Ltd. | Hitachi Web Server (Linux IPF) | 03-00 -01, -02, -03, -04, -05, -06, Base | 03-10 -01, -02, -03, -04, -05, -06, -07, -08, -09, Base | 04-00 -01, -02, -03, -04, -05, Base | 04-10 -01, -02, -03 |
| Hitachi, Ltd. | Hitachi Web Server (Solaris) | 03-00 -01, Base | 03-10 -01, -02, -03, -04, -05, -06, -07, Base | 04-00 -01, -02, -03, -04, -05 |
| Hitachi, Ltd. | Hitachi Web Server (Solaris x64) | 04-00 -01 |
| Hitachi, Ltd. | Hitachi Web Server (Windows) | 03-00 -01, -02, -03, -04, -05, -06, Base | 03-10 -01, -02, -03, -04, -05, -06, -07, -08, -09, -10, Base | 04-00 -01, -02, -03, -04, -05, Base | 04-10 -01, -02, -03, -04 |
| Hitachi, Ltd. | Hitachi Web Server (Windows x64) | 04-10 -01, -02, -03 |
| HP | HP OpenView Network Node Manager (NNM) | 7.01 Base | 7.50 Base | 7.51 Base | 7.52 Base | 7.53 Base |
| HP | HP-UX | 11.11/11i Base | 11.23 Base | 11.31 Base |
| HP | HP-UX Web Server Suite (HPUXWSSUITE) | 2.33 Base | 3.18 Base |
| HP | Onboard Administrator | 3.21 Base | 3.30 Base | 3.31 Base | 3.32 Base | 3.50 Base |
| HP | Secure Web Server (SWS) for OpenVMS Alpha | 1.7 -7, -8 | 2.1 -1 | 2.2 Base |
| HP | Secure Web Server (SWS) for OpenVMS Itanium | 2.1 -1 | 2.2 Base |
| HP | System Management Homepage (SMH) | 6.0.0 Base | 6.1 Base | 6.2 Base |
| IBM | HTTP Server | 2.0.42 .1, .2, Base | 2.0.47 .1, Base | 6.0.2 .0, .1, .11, .13, .15, .17, .19, .21, .23, .25, .27, .29, .3, .31, .33, .35, .37, .39, .41, .5, .7, .9 | 6.1.0 .1, .10, .11, .12, .13, .15, .16, .17, .18, .19, .2, .20, .21, .23, .25, .27, .29, .3, .31, .33, .35, .4, .5, .6, .7, .8, .9, Base | 7.0.0 .11, .13, .3, .5, .7, .9, Base |
| IBM | WebSphere Application Server | 6.0 .0.2, .0.3, .1, .1.1, .1.2, .2, .2.1, .2.11, .2.13, .2.15, .2.17, .2.18, .2.19, .2.2, .2.20, .2.21, .2.23, .2.25, .2.27, .2.29, .2.3, .2.31, .2.33, .2.34, .2.35, .2.37, .2.38, .2.39, .2.4, .2.40, .2.41, .2.42, .2.43, .2.5, .2.6, .2.7, .2.8, .2.9, Base | 6.1 .0, .0.1, .0.10, .0.11, .0.12, .0.13, .0.14, .0.15, .0.17, .0.19, .0.2, .0.21, .0.23, .0.25, .0.28, .0.29, .0.3, .0.30, .0.31, .0.33, .0.35, .0.37, .0.39, .0.4, .0.5, .0.6, .0.7, .0.8, .0.9 | 7.0 .0.0, .0.1, .0.10, .0.11, .0.13, .0.15, .0.17, .0.18, .0.3, .0.5, .0.6, .0.7, .0.8, .0.9 | 8.0 Base |
| IBM | WebSphere Application Server for z/OS | 5.1 .0.0 | 6.0 .1.0, .1.1, .1.2, .2.0, .2.1, .2.10, .2.11, .2.12, .2.13, .2.15, .2.16, .2.17, .2.18, .2.19, .2.2, .2.20, .2.21, .2.22, .2.23, .2.24, .2.25, .2.27, .2.29, .2.3, .2.31, .2.33, .2.34, .2.35, .2.36, .2.37, .2.38, .2.4, .2.5, .2.6, .2.7, .2.8, .2.9 | 6.1 .0.0, .0.1, .0.10, .0.11, .0.12, .0.13, .0.14, .0.15, .0.16, .0.17, .0.18, .0.19, .0.2, .0.21, .0.22, .0.23, .0.24, .0.25, .0.27, .0.28, .0.29, .0.3, .0.31, .0.33, .0.35, .0.37, .0.39, .0.4, .0.5, .0.6, .0.7, .0.8, .0.9 | 7.0 .0.0, .0.1, .0.11, .0.13, .0.15, .0.17, .0.18, .0.5, .0.7, .0.9, 0.3 | 8.0 .0.0 |
| IBM | WebSphere Application Server Hypervisor Edition | 6.1 Base | 7.0 Base |
| MontaVista | MontaVista Linux | CGE 4.0.1 | Mobilinux 4.0.2, 4.1 | Professional 4.0.1 |
| Novell, Inc. | NetWare | 6.5 SP6, SP7, SP8 |
| Oracle Corporation | Oracle Application Server 10g | 10.1.2 .3.0 | 10.1.3 .5.0 |
| Oracle Corporation | Oracle Fusion Middleware | 11 .1.1.3.0, .1.1.4.0, .1.1.5.0 |
| Oracle Corporation | Oracle Transportation Manager | 5.5 .05.07, 06.00 | 6.0 Base | 6.1 Base | 6.2 Base |
| Oracle Corporation | Solaris Express | 11 2010.11 |
| Red Hat, Inc. | JBoss Enterprise Web Server | EL4 IA-32, x86_64 | EL5 IA-32, x86_64 | EL6 IA-32, x86_64 |
| Red Hat, Inc. | Red Hat Application Stack | 2 ia-32, x86_64 |
| Red Hat, Inc. | Red Hat Desktop | 4 IA-32, x86_64 |
| Red Hat, Inc. | Red Hat Enterprise Linux | 5 IA-32, IA-64, PPC, ppc64, s390, s390x, x86_64 |
| Red Hat, Inc. | Red Hat Enterprise Linux Advanced Server | 4 IA-32, IA-64, PPC, s390, s390x, x86_64 |
| Red Hat, Inc. | Red Hat Enterprise Linux Desktop | 5 IA-32, x86_64 | 6 IA-32, x86_64 |
| Red Hat, Inc. | Red Hat Enterprise Linux Desktop Workstation | 5 IA-32, x86-64 |
| Red Hat, Inc. | Red Hat Enterprise Linux ELS (Extended Life Cycle | 3 IA-32 |
| Red Hat, Inc. | Red Hat Enterprise Linux Enterprise Server | 4 IA-32, IA-64, x86_64 |
| Red Hat, Inc. | Red Hat Enterprise Linux EUS (Extended Update Supp | 5.6.z IA-32, IA-64, PPC, PPC64, s390, s390x, x86_64 |
| Red Hat, Inc. | Red Hat Enterprise Linux HPC Node | 6 x86_64 |
| Red Hat, Inc. | Red Hat Enterprise Linux Long Life | 5.3 i386, ia64, x86_64 | 5.6 i386, ia64, x86_64 |
| Red Hat, Inc. | Red Hat Enterprise Linux Server | 6 IA-32, PPC, PPC 64, s390, s390x, x86_64 |
| Red Hat, Inc. | Red Hat Enterprise Linux Server EUS | 6.0.z IA-32, ppc64, s390x, x86_64 | 6.1.z IA-32, PPC, PPC64, s390, s390x, x86_64 |
| Red Hat, Inc. | Red Hat Enterprise Linux Workstation | 4 IA-32, IA-64, x86_64 | 6 IA-32, x86_64 |
| Sun Microsystems, Inc. | Solaris | 10 sparc, x64/x86 |
| Sun Microsystems, Inc. | Sun Secure Global Desktop Software | 4.2 Base | 4.4 Base | 4.5 Base | 4.6 Base | 4.61 Base |
|
|
LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. |
|
|
