Apache webserver buttoned-up a vulnerability attackers are exploiting to crash websites.
Flaws in the open-source Apache’s HTTP daemon made it easy to crash servers using publicly available software. The bugs in the way the HTTPD processed multiple web requests that involved overlapping byte ranges allowed attackers to overwhelm servers by sending them a modest amount of traffic.
An advisory on Apache’s website said the bug, known as CVE-2011-3192, is gone in version 2.2.20.
“We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade,” the advisory stated. The vulnerability has “active use.”
One of the bugs fixed in the update was specific to Apache, while a second flaw has been out there since 2007, and possibly involves all webservers, an Apache bulletin said. The Internet Engineering Task Force is considering changing the underlying protocol responsible for the problem, Apache said.
Versions 1.3.x and 2.0.x through 2.0.64 contain the denial-of-service vulnerabilities. A single web request that contains overlapping byte ranges for a specific page can trigger the vulnerabilities.
“The problem is that currently such requests internally explode into 100’s of large fetches, all of which are kept in memory in an inefficient way,” Apache’s advisory said. “This is being addressed in two ways. By making things more efficient. And by weeding out or simplifying requests deemed too unwieldy.”