Linux Today: Linux News On Internet Time.

Update: The Register: Apache Urges Update Ahead of DoS Risk Alert

Apr 08, 2003, 17:59 (1 Talkback[s])
(Other stories by John Leyden)

[ Thanks to Jason Greenwood for this link. ]

"The Apache Software Foundation has updated its popular Web server software to guard against a serious, as yet unspecified, denial of service risk.

"Users of version 2.x of the Web server on all platforms are urged to upgrade to version 2.0.45. Sites running 1.x aren't affected.

"Details of the problem, discovered by security outfit iDefense, are to be made available later today..."

Complete Story

[Editor's Note: iDefense has released its announcement on this Apache security issue. The announcement follows. -BKP]

iDEFENSE Security Advisory 04.08.03:
Denial of Service in Apache HTTP Server 2.x
April 8, 2003


The Apache Software Foundation's HTTP Server Project is an effort to
develop and maintain an open-source web server for modern operating
systems including Unix and Microsoft Corp.'s Windows. More information is
available at http://httpd.apache.org/ .


Remote exploitation of a memory leak in the Apache HTTP Server causes the
daemon to over utilize system resources on an affected system. The problem
is HTTP Server's handling of large chunks of consecutive linefeed
characters. The web server allocates an eighty-byte buffer for each
linefeed character without specifying an upper limit for allocation.
Consequently, an attacker can remotely exhaust system resources by
generating many requests containing these characters.


While this type of attack is most effective in an intranet setting, remote
exploitation over the Internet, while bandwidth intensive, is feasible.
Remote exploitation could consume system resources on a targeted system
and, in turn, render the Apache HTTP daemon unavailable. iDEFENSE has
performed research using proof of concept exploit code to demonstrate the
impact of this vulnerability. A successful exploitation scenario requires
between two and seven megabytes of traffic exchange.


Both the Windows and Unix implementations of Apache HTTP Server 2.0.44 are
vulnerable; all 2.x versions up to and including 2.0.44 are most likely
vulnerable as well.


Apache HTTP Server 2.0.45, which fixes this vulnerability, can be
downloaded at http://httpd.apache.org/download.cgi . This release
introduces a limit of 100 blank lines accepted before an HTTP connection
is discarded.


The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has
assigned the identification number CAN-2003-0132 to this issue.


01/23/2003      Issue disclosed to iDEFENSE
03/06/2003      security@apache.org contacted
03/06/2003      Response from Lars Eilebrecht
03/11/2003      Status request from iDEFENSE
03/13/2003      Response received from Mark J Cox
03/23/2003      Response received from Brian Pane
03/25/2003      iDEFENSE clients notified
04/08/2003      Coordinated Public Disclosure

Related Stories: