Another Apache update due to byte range flaw
The Apache Foundation has announced that the newly released version 2.2.21 of its free web server is essentially a bug fix and security release. In particular, the developers focused on the vulnerability that makes servers susceptible to Denial-of-Service (DoS) attacks.
The new version corrects and complements the first fix, which was released only two weeks ago. It corrects an incompatibility with the HTTP definition and changes the interpretation of the
MaxRange directive. It also fixes flaws in
mod_proxy_ajp, a module that provides support for the Apache JServ protocol.
Users are advised to update their Apache installations as soon as possible. However, those who use Apache 2.0 will still need to wait: corrections for this version are scheduled to be incorporated in the release of version 2.0.65 in the near future. Those who use version 1.3 are not affected by the byte range bug.
The Apache developers explain the background of the byte range vulnerability in an online document. There, they also describe various options for protecting servers against DoS attacks that exploit this vulnerability. The document also mentions a ticket on the byte range topic issued by the IETF, which is responsible for the HTTP standard. In this document, the IETF says that the protocol itself is vulnerable to DoS attacks, because of, for instance, the potential presence of many small or overlapping byte range requests.
Changes to RFC 2616 are planned in order to correct this. The IETF stipulates that clients must no longer send overlapping byte ranges, and that servers may coalesce such overlapping ranges into a single range. Ranges within a request must be separated by a gap that is greater than 80 bytes, and they must be listed in ascending order, said the IETF.