Home Business IT Security Apache DoS bug expected to be patched in 48 hours

Apache DoS bug expected to be patched in 48 hours

A serious vulnerability in the popular open source Apache web server, that could be exploited to cause a denial of service, is expected to be patched within the next 48 hours.

An exploit to take advantage of the vulnerability was released on the Full Disclosure mailing list on August 20. The exploit can be used against all current Apache httpd versions and will remotely exhaust both RAM and CPU.

An Apache advisory said an attack tool to exploit the bug was circulating in the wild and active use of the tool had been observed. It added that the attack could be done remotely and, with a modest number of requests, could cause very significant memory and CPU usage on a server.

Explaining the vulnerability, veteran UNIX sysadmin Rick Moen told iTWire that a web server running the Apache HTTP daemon could be sent a large number of requests for overlapping byte regions of a single file download, leading to that web server running out of memory and being unable to do its job.

"This sort of server-overwhelming attack is possible, fundamentally, because Apache helpfully implements a standard web technical function called the Range header, which seems to be primarily used for intensive downloading uses such as some ebook downloads and some video streaming," Moen, who is based in California, said.

While the Apache Software Foundation (ASF) had said it would issue a patch within 48 hours, Moen said in the meantime, those running Apache on their servers could limit or disable use of the Range header in several ways, detailed by ASF at this URL.

"Operators should, however, check that any (legitimate) intensive downloading activities aren't impaired," Moen added.

He said the ASF was studying various ways to prevent abuse of the Range header to overwhelm Apache httpd servers while still respecting its legitimate use.

"For example, the attack script released to the Full Disclosure security mailing list sends the targeted Apache server a large number of requests for a single byte range, compressed, and there is no conceivable legitimate use for such requests," Moen pointed out.

"So, the ASF is presumably working on, more precisely, which sorts of requests should be honoured and which should not."

There has been prior warning of the vulnerability. More than four years ago, Michal Zalewski, a senior security researcher from Poland, had pointed out that both Apache and Microsoft's Internet Information Services (IIS) had what he described as "a bizarro implementation of HTTP/1.1 'Range' header functionality".

"Their implementations allow the same fragment of a file to be requested an arbitrary number of times, and each redundant part to be received separately in a separate multipart/byteranges envelope," Zalewski wrote in a post to the Bugtraq security mailing list.

"Combined with the functionality of window scaling (as per RFC 1323), it is my impression that a lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits implemented by the administrator. Whoops?"

Apache is by far the most widely used web server software and runs on all major operating systems. According to the internet services company, Netcraft, which conducts a monthly web survey, a little less than two-thirds of the websites it received a response from in August - a total of 301,771,518 - were running Apache. Responses were received from 463,000,317 sites in all.


Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.