DoS Vulnerability - Apache 2.x

[Maverick811]

I did a quick search of the forums and I didn't see this posted so I wanted to share this with any Apache web server administrators out there. I apologize if this has already been posted.

I recieved this email from Watchguard Technologies Live Security Service on April 3, 2003. It concerns a possible Denial of Service vulnerability affecting Apache versions 2.x. Since the details are not being released until next Tuesday, everyone is encouraged to install the newest version of Apache beforehand.

SUMMARY:
Yesterday, the Apache Software Foundation released the latest
version of Apache to correct security flaws, including a
"significant" Denial of Service (DoS) vulnerability. Apache has
delayed releasing the details concerning this DoS flaw until April
8. However, in most cases hackers exploit Web-based DoS
vulnerabilities to either crash your Web server or disrupt your
Website. There is no direct impact on WatchGuard products.
Administrators using Apache 2.0 through 2.0.44 on any platform
should download, test, and install 2.0.45 as soon as possible,
before April 8, 2003.

EXPOSURE:
According to the Netcraft Web Server Survey
<http://www.netcraft.com/survey/>,
Apache is the most popular Web server used to host Web pages on the
Internet today.

In an announcement <http://www.apache.org/dist/httpd/Announcement2.html>
on April 2, the Apache Software Foundation described their latest
Apache version (2.0.45) as primarily a security and bug fix release.
They warn that Apache versions 2.0 through 2.0.44, running on any
platform, are vulnerable to a "significant" Denial of Service (DoS)
<https://www3.watchguard.com/archive/...ossary.htm#dos>
flaw, as well as various information leaks in Apache's CGI scripts.
However, the full details concerning these vulnerabilities have not
been made public. The Apache Software Foundation has promised that
David Endler of iDEFENSE will disclose the details concerning the
DoS flaw on April 8, 2003.

The Apache Software Foundation acted similarly in August 2002,
releasing a patch
<https://www3.watchguard.com/archive/...sp?pack=135164>
with strong encouragement to users to install it immediately to fix
a "serious" vulnerability, but offering no details on the nature of
the flaw that the patch fixed. When the vulnerability was revealed
<https://www3.watchguard.com/archive/...sp?pack=135169>, it
was not only a severe security problem, but it was also exploitable
very easily, which was why Apache withheld details until
administrators had opportunity to install the patch. If Apache's
past performance is an indicator of present performance, we assume
you should install the current patch now, before exploit details
fall into the hands of the public (and malicious hackers).

In most cases, hackers can exploit Web-based DoS flaws to either
crash or disrupt your Web server. If you administer an e-commerce
Website, this kind of disruption can affect your company's bottom
line and should be taken very seriously. We will update you with the
full scope of Apache's vulnerabilities on April 8, pending David
Endler's advisory.

SOLUTION PATH:
Apache administrators running versions 2.0 through 2.0.44 on any
platform should download, test, and install version 2.0.45
<http://httpd.apache.org/download.cgi> as soon as possible before
Tuesday, April 8, 2003.

[Magic-Guy]

can some body pls tell me what is that apachi ???

[er0k]

apache is a web server application like microsofts (IIS) but much better. It allows you to "serve" things on the internet via ip or domain name (or both) with many extensions etc such as virtual hosts. www.apache.org for more details.

[souleman]

apache 2.0.46 was released Wednesday....

http://httpd.apache.org/download.cgi

The details of the DoS hae not been released by apache because they are not out in the public much yet.

[Highlander]

It is always a good idea to keep Apache updated...
I just did on my WinXP Game box
I had 2.45 now I have 2.46

Mama did not raise a dummy, so I do not use IIS!!

Thanks for the reminder....