New Apache Version Fixes Serious DoS Bug

The Apache Software Foundation has released a new version of its web server in order to patch a serious denial of service vulnerability that endangers most installations.

The flaw, identified as CVE-2011-3192, was disclosed as a zero-day last week when a hacker calling himself Kingcope released a proof-of-concept attack tool dubbed "Apache Killer."

The vulnerability stems from the way Apache servers handle requests to send only parts of a file over HTTP.

Apache Killer sends GET requests with specially crafted "Range" headers that force the Apache process to consume all available resources and crash.

The bad part about this remote denial of service attack is that it doesn't require many resources to pull off.

An attacker with a single computer could take down a powerful server by exploiting this vulnerability.

Because of this, users are urged to upgrade as soon as possible to the newly released Apache HTTP Server 2.2.20. Admins should note that the Apache HTTP Server 1.3.x branch is vulnerable and no longer supported, so it won't receive an update.

People who for various reasons can't update at this time are urged to apply one of the publicly known mitigation solutions in order to protect their servers.

In addition to the security patch, the new 2.2.20 also contains other fixes. One involves hook sorting in the core package, one prevents a timed out connection going into keep-alive state, one fixes FilterProvider conditions of type "resp=" for CGI and one forces constraint violations sent by LDAP servers to be treated as "auth denied."

The Apache HTTP Server is the most widely used web server software on the Internet. It has played an important role in the growth of the World Wide Web and packages are available for most operating systems.