Apache Fixes Range Header DoS Flaw

There is a new version of the Apache Web Server available that fixes the recently disclosed range header denial-of-service vulnerability. Apache 2.2.20 is was released Tuesday and the new content mostly comprises the bug fix.

The Apache Software Foundation, which maintains the Web server, said that all users should upgrade to the new release as soon as possible in order to take advantage of the patch for CVE-2011-3192. The vulnerability in Apache lies in the way that the server handles multiple overlapping ranges in Range headers. An attack tool that can exploit the vulnerability is circulating online and researchers say they have seen attacks utilizing the tool.

A researcher named Kingcope posted an advisory about the problem to the Full Disclosure mailing list two weeks ago and he also released a Perl script that exploits the bug.

Also on Tuesday, Cisco released a security advisory warning customers that a number of its products are vulnerable to the Apache header problem. The list of vulnerable products includes:

• Cisco MDS 9000 NX-OS Software releases prior to 4.2.x are
  affected. Cisco MDS 9000 NX-OS Software releases 4.2.x and later
  are not affected.

• Cisco NX-OS Software for Cisco Nexus 7000 Series Switches
  releases prior to 4.2.x are affected. Cisco NX-OS Software for
  Cisco Nexus 7000 Series Switches versions 4.2.x and later are not
  affected.

• Cisco TelePresence Video Communication Server (Cisco TelePresence
  VCS)

• Cisco Video Surveillance Manager (VSM)

• Cisco Video Surveillance Operations Manager (VSOM)

• Cisco Wireless Control System (WCS)

Cisco said in its advisory that it is still evaluating whether any of its other products also are vulnerable.