On Fri, Nov 4, 2011 at 2:59 PM, Ruiyuan Jiang <Ruiyuan_Jiang@xxxxxxx> wrote: > Hi, all > > I have an Apache reverse proxy server (v2.2.21) redirects traffic from http > to https for a back end web server. I don’t know the exact version of the > back end Apache web server because Oracle changed the version number but I > am sure it is below v2.2.21. Our vulnerability scan shows that the web site > has: > > Apache httpd Range header remote DoS (CVE-2011-3192) > (apache-httpd-cve-2011-3192) > > My question is that front end of Apache reverse proxy hide the back end web > server problem, isn’t it? If not, how do I fix the problem besides to > upgrade the version of back end Apache web server? Thanks. > > Ryan Jiang > Liz Claiborne, Inc. > > Did you read the CVE? It explained the issues and how to work around them… http://httpd.apache.org/security/CVE-2011-3192.txt Upgrading the reverse proxy will not protect the back end servers. The range headers are passed through to the back end, and so they must be capable of determining whether it is malicious or not - the proxy cannot really decide this. If you cannot upgrade the back ends, there are several mitigations listed in the CVE. Cheers Tom --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|