The notorious Apache Killer that's been used for DoS attacks on HTTP servers met its doom after Oracle released a patch that should cover all the remaining holes, even some left untouched by the previous fix issued by the Apache Foundation.Because they widely implement Apache, their applications were affected by the weakness, so the company decided to take a stand.
The patch released by the Apache Foundation seems to be good, but not good enough, otherwise Oracle wouldn't go through all that trouble to make a new one.
According to the company's official blog, the National Vulnerability Database has reported the vulnerability as scoring a 7.8, which normally indicates the possibility of a denial-of-service attack that could take down the whole operating system. However, such an attack is not possible on any platform supported by Oracle, so the score was lowered by them to a 5.0 which indicates the possibility of a complete DoS only on the Oracle HTTP Server.
“This vulnerability allows a malicious attacker to hang the Oracle HTTP Server product via an easy-to-deploy, unauthenticated network attack,” revealed Eric Maurice on the official blog.
All the implicated products will be repaired right after the fixes designed for them will be completely tested, the release being expected no later than October 18.
It is recommended for administrators to immediately apply the new patch as even if they've been currently using workarounds that seem to do the job, those might end up causing later issues.
“This recommendation is also applicable to other vendors’ products which may contain this vulnerability as a result of their implementation of the Apache HTTP Server. Organizations should quickly determine which of their systems is vulnerable, obtain the necessary patches from their respective suppliers, and plan to quickly apply these patches, especially in external facing systems,” Maurice further revealed [via].
The Apache HTTP Server 2.2.21 is available for download here