Apache HTTP Server ByteRange filter denial of service (HTTP_Reversed_Byte_Range)

About this signature or vulnerability

IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, Proventia Network IDS, Proventia Network MFS, Proventia-G 1.1 and earlier, IBM Security Host Protection for Desktops, IBM Security Host Protection for Servers (Unix), Proventia Server IPS for Linux technology, Proventia Network IPS, Virtual Server Protection for Vmware:

This signature detects when an HTTP request header Range or Request-Range specifier contains a byte range where the starting byte is greater than ending byte.


Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

IBM Security Host Protection for Servers (Windows): 2.1.14.2680, RealSecure Server Sensor: XPU 31.090, Proventia Network IDS: XPU 31.090, Proventia Network MFS: XPU 31.090, Proventia-G 1.1 and earlier: XPU 31.090, IBM Security Host Protection for Desktops: 2680, IBM Security Host Protection for Servers (Unix): 2.2.2, Proventia Server IPS for Linux technology: 31.090, Proventia Network IPS: XPU 31.090, Virtual Server Protection for Vmware: XPU 31.090

Systems affected

Novell NetWare: 6.0, HP HP-UX: B.11.11, Cisco MDS 9000, HP HP-UX: B.11.23, RedHat Enterprise Linux: 4 AS, RedHat Enterprise Linux: 4 Desktop, RedHat Enterprise Linux: 4 ES, RedHat Enterprise Linux: 4 WS, IBM WebSphere Application Server: 6.1, Cisco Wireless Control System, RedHat RHEL Cluster: 4, RedHat Enterprise Linux: 5, RedHat Enterprise Linux: 5 Client Workstation, HP HP-UX: B.11.31, RedHat Enterprise Linux: 5 Client, RedHat RHEL Application Stack: 2, Kolab Kolab Server: 2.0.0, IBM HTTP Server: 6.0, IBM HTTP Server: 6.1, IBM WebSphere Application Server: 7.0, IBM HTTP Server: 2.0, Cisco Nexus 7000, IBM HTTP Server: 7.0, Oracle Application Server 10g: 10.1.2.2, Oracle Fusion Middleware: 11.1, Hitachi Web Server: 3.x, Hitachi Web Server: 4.x, IBM OS 400: 6.x, F5 TMOS: 10.0.0, F5 TMOS: 10.2.0, Oracle Solaris: 11 Express, RedHat Enterprise Linux: 6 Server, RedHat Enterprise Linux: 6 Workstation, Apache HTTP Server: 2.2.19, IBM WebSphere Application Server: 8.0, Cisco TelePresence Video Communication Server (VCS), Cisco Video Surveillance Manager (VSM), Cisco Video Surveillance Operations Manager (VSOM), Cisco Quad, Cisco SAN-OS: 3.x, HP Onboard Administrator: 3.21, Oracle Secure Global Desktop: 4.6, F5 TMOS: 11.0, RedHat Enterprise Linux Desktop : 6, RedHat Enterprise Linux HPC Node : 6, RedHat Enterprise Linux Server EUS: 6.1.z, RedHat Enterprise Linux Server EUS: 6.0.z, RedHat Enterprise Linux EUS : 5.6.z, RedHat Enterprise Linux Long Life : 5.6, RedHat Enterprise Linux Long Life : 5.3, JBoss Enterprise Web Server, Avaya Experience Portal: 6.x, HP OpenVMS Secure Web Server: 2.2, Xerox WorkCentre

Type

Denial of Service

Vulnerability description

Apache HTTP Server is vulnerable to a denial of service, caused by an error in the ByteRange filter when processing malicious requests. By sending a specially-crafted HTTP request containing an overly large Range header, a remote attacker could exploit this vulnerability to exhaust all available memory resources.IBM

How to remove this vulnerability

Upgrade to the latest version of Apache HTTP Server (2.2.20 or later), available from the Apache HTTP Server Project Web site. See References.

For WebSphere Application Server 6.1:
Apply the latest Fix Pack (6.1.0.41 or later) or APAR PM46234. See References.

For WebSphere Application Server 7.0:
Apply the latest Fix Pack (7.0.0.21 or later) or APAR PM46234. See References.

For WebSphere Application Server 8.0:
Apply the latest Fix Pack (8.0.0.1 or later) or APAR PM46234. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References

ASF Bugzilla Bug 51714
Byte Range Filter might consume huge amounts of memory combined with compressed streams
https://issues.apache.org/bugzilla/show_bug.cgi?id=51714

Apache HTTP Server Project Web site
Apache HTTPD Project - The Apache HTTPD Server Project
http://httpd.apache.org

EDB-ID: 17696
Apache httpd Remote Denial of Service (memory exhaustion)
http://www.exploit-db.com/exploits/17696/

Apache HTTPD Security ADVISORY
Range header DoS vulnerability Apache HTTPD 1.3/2.x
http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110826103531.998348F82@minotaur.apache.org%3E

Apache HTTPD Security ADVISORY
Range header DoS vulnerability Apache HTTPD 1.3/2.x
http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110824161640.122D387DD@minotaur.apache.org%3E

IBM APAR PM46234
Recommended fixes for WebSphere Application Server
http://www-01.ibm.com/support/docview.wss?uid=swg27004980

cisco-sa-20110830-apache
Apache HTTPd Range Header Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20110830-apache.shtml

cisco-sa-20110830-apache
Apache HTTPd Range Header Denial of Service Vulnerability
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b90d73.shtml

IBM APAR SE49334
HTTPSVR - PATCH APACHE VULNERABILITY CVE-2011-3192
https://www.ibm.com/support/docview.wss?uid=nas2aae02620b9b78d9e862578fe003c799b

IBM Security Protection Alert
Apache HTTP Server ByteRange filter denial of service
http://www.iss.net/threats/432.html

HP Security Bulletin HPSBUX02702 SSRT100606 rev.2
HP-UX Apache Web Server, Remote Denial of Service (DoS)
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02997184

cisco-sa-20110830-apache
Apache HTTPd Range Header Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20110830-apache.shtml

Kolab Mailing List, Wed Sep 14 14:35:07 CEST 2011
Announcing the Kolab Server 2.3.3
http://kolab.org/pipermail/kolab-announce/2011/000102.html

Oracle Web site
Oracle Security Alert for CVE-2011-3192
http://www.oracle.com/technetwork/topics/security/alert-cve-2011-3192-485304.html

Sun Product Security Blog, Sep 22, 2011
Denial of Service (DoS) vulnerability in Apache HTTP Server
http://blogs.oracle.com/sunsecurity/entry/cve_2011_3192_denial_of

Oracle Critical Patch Update Advisory - October 2011
Oracle Critical Patch Update Advisory - October 2011
http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html

HP Security Bulletin HPSBMU02704 SSRT100619
HP OpenView Network Node Manager (OV NNM) Running Apache, Remote Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03011498

Sun Product Security Blog, Nov 14, 2011
CVE-2011-3192 and CVE-2011-0419 affect Oracle Secure Global Desktop
http://blogs.oracle.com/sunsecurity/entry/cve_2011_3192_and_cve

Oracle Web site
Secure Global Desktop
http://www.oracle.com/us/technologies/virtualization/oraclevm/061996.html

Offensive Security Exploit Database [12-09-2011]
Apache HTTP Server Denial of Service
http://www.exploit-db.com/exploits/18221/

F5 Web site
BIG-IP LTM and TMOS version 11.1.0
http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-1-0.html

F5 Web site
BIG-IP LTM and TMOS version 10.2.3
http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes-LTM-10-2-3.html

Oracle Critical Patch Update Advisory - January 2012
Oracle Critical Patch Update Advisory - January 2012
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html

HP Security Bulletin HPSBMU02766 SSRT100624 rev.1
HP Onboard Administrator (OA), Remote Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03285138

HP Security Bulletin HPSBMU02776 SSRT100852 rev.1
HP Onboard Administrator (OA), Remote Unauthorized Access to Data, Unauthorized Disclosure of Information Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03315912

Oracle Critical Patch Update Advisory - July 2012
Oracle Critical Patch Update Advisory - July 2012
http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html

HP Security Bulletin HPSBOV02822 SSRT100966
HP Secure Web Server (SWS) for OpenVMS, Remote Denial of Service (DoS), Unauthorized Access, Disclosure of Information
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03517954

ASA-2011-281
httpd security update
https://downloads.avaya.com/css/P8/documents/100148618

Xerox Security Bulletin XRX12-004
Software update to address CVE-2011-3192
http://www.xerox.com/download/security/security-bulletin/1024c-4c596fb328140/cert_XRX12-004_v1.011.pdf

ISS X-Force
Apache HTTP Server ByteRange filter denial of service
http://www.iss.net/security_center/static/69396.php

CVE
CVE-2011-3192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192