Apache HTTPd Range header DoS vulnerability

Article:TECH176351  |  Created: 2011-12-06  |  Updated: 2012-08-09  |  Article URL http://www.symantec.com/docs/TECH176351
Article Type
Technical Solution


Issue



A Denial of Service (DoS) vulnerability in the Apache Foundation's HTTPd was announced August 24th 2011. This vulnerability affects all versions of Apache Web servers released before the announcement. Symantec Protection Center (SPC) 12.0 Small Business Edition (SBE) and Symantec Endpoint Protection Manager (SEPM) 12.1 both utilize Apache Server for client-server connectivity.

For more information on this vulnerability see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192. For more information on vulnerabilities in Apache see http://httpd.apache.org/security_report.html.

Solution



A resolution for this vulnerability is planned for a future release of the SEPM 12.1 product. There are no current plans to release fixed version of SPC 12.0 SBE. At this time, use one of the following workarounds:

 
To work around the problem on SEPM 12.1
  1. Download the mod_setenvif.so file attached to this document and copy it to %SEPM%\apache\modules folder
     
  2. Modify the httpd.conf file located in the %SEPM%\apache\conf folder to contain the following lines:

 

LoadModule setenvif_module modules/mod_setenvif.so
SetEnvIfNoCase Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

 

  1. Restart the following services:
  • Symantec Endpoint Protection Manager
  • Symantec Endpoint Protection Manager Webserver
 
To work around the problem on SPC 12.0:
  1. Modify the httpd.conf file located in the %SPC%\apache\conf folder to contain the following lines:

 

SetEnvIfNoCase Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

 

  1. Restart the following services:
  • Symantec Protection Center
  • Symantec Protection Center Webserver



Article URL http://www.symantec.com/docs/TECH176351


Terms of use for this information are found in Legal Notices