Amidst a lack of fanfare this past weekend on a mailing list, a memory exhaustion hack popped up for the Apache webserver that may result in a Denial-of-Service (DoS) style attack. Since the Apache application serves up north of 65% of the websites on the internet, a plausible attack becomes quite an issue, especially if it gets much traction before a patch can be released.
Luckily, Apache is doing just that, with patches (hopefully) to be release in the next day or so. The vulnerability affects 1.3 and 2.x versions as well. Since 1.3 is no longer officially supported, it remains to be seen whether the significant amount of 1.3 Apache installations will see a patch forthcoming outside of a workaround (possibly from security updates from their upstream distribution sources). Many standard Linux/BSD distributions, the most frequently deployed Apache web server platform, have regular channels for security patches. Once the patches are released by Apache, they will then need to be pulled upstream by the various distributions and become available through traditional package management facilities like apt-get, yum, and others. In the meantime, Apache has a workaround, suggesting to “Use SetEnvIf or mod_rewrite to detect a large number of ranges and then either ignore the Range: header or reject the request.” They also give a couple more alternative workarounds and more specifics on their mailing list post here. This will help mitigate the issue until a formal patch can be made available.
Still, some Apache web servers have been humming along untouched for years without much oversight, and may not receive patches as quickly as the hack spreads, representing a potentially widespread attack surface in the meantime. The posting says “An attack tool is circulating in the wild. Active use of this tools has been observed.” The nice thing is how proactive the Apache Foundation has been since it was brought to their attention.
Author Cameron Camp, ESET