Apache HTTPd Range header DoS vulnerability
| Article:TECH176351 | | | Created: 2011-12-07 | | | Updated: 2012-08-09 | | | Article URL http://www.symantec.com/docs/TECH176351 |
Problem
A Denial of Service (DoS) vulnerability in the Apache Foundation's HTTPd was announced August 24th 2011. This vulnerability affects all versions of Apache Web servers released before the announcement. Symantec Protection Center (SPC) 12.0 Small Business Edition (SBE) and Symantec Endpoint Protection Manager (SEPM) 12.1 both utilize Apache Server for client-server connectivity.
Solution
A resolution for this vulnerability is planned for a future release of the SEPM 12.1 product. There are no current plans to release fixed version of SPC 12.0 SBE. At this time, use one of the following workarounds:
- Download the mod_setenvif.so file attached to this document and copy it to %SEPM%\apache\modules folder
- Modify the httpd.conf file located in the %SEPM%\apache\conf folder to contain the following lines:
SetEnvIfNoCase Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
- Restart the following services:
- Symantec Endpoint Protection Manager
- Symantec Endpoint Protection Manager Webserver
- Modify the httpd.conf file located in the %SPC%\apache\conf folder to contain the following lines:
- Restart the following services:
- Symantec Protection Center
- Symantec Protection Center Webserver
|
|
Article URL http://www.symantec.com/docs/TECH176351
Terms of use for this information are found in Legal Notices
Thank you.