Thanks for the answer, Tom Ryan -----Original Message----- From: Tom Evans [mailto:tevans.uk@xxxxxxxxxxxxxx] Sent: Friday, November 04, 2011 11:19 AM To: users@xxxxxxxxxxxxxxxx Subject: Re: Apache httpd Range header remote DoS On Fri, Nov 4, 2011 at 2:59 PM, Ruiyuan Jiang <Ruiyuan_Jiang@xxxxxxx> wrote: > Hi, all > > I have an Apache reverse proxy server (v2.2.21) redirects traffic from http > to https for a back end web server. I don’t know the exact version of the > back end Apache web server because Oracle changed the version number but I > am sure it is below v2.2.21. Our vulnerability scan shows that the web site > has: > > Apache httpd Range header remote DoS (CVE-2011-3192) > (apache-httpd-cve-2011-3192) > > My question is that front end of Apache reverse proxy hide the back end web > server problem, isn’t it? If not, how do I fix the problem besides to > upgrade the version of back end Apache web server? Thanks. > > Ryan Jiang > Liz Claiborne, Inc. > > Did you read the CVE? It explained the issues and how to work around them… http://httpd.apache.org/security/CVE-2011-3192.txt Upgrading the reverse proxy will not protect the back end servers. The range headers are passed through to the back end, and so they must be capable of determining whether it is malicious or not - the proxy cannot really decide this. If you cannot upgrade the back ends, there are several mitigations listed in the CVE. Cheers Tom --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited.
|