apache DOS attack CVE-2011-3192 and Solaris

D G Teed donald.teed at gmail.com
Fri Sep 9 09:17:50 EDT 2011


There are dozens of blogs, etc. discussing this simple script attack
anyone could run on a single client machine to cause a denial of service.

I checked for a patch from Oracle and didn't see anything fresh for apache.

I tried the first option listed here for mitigating and Apache 2 from Solaris 10
didn't like the syntax.

Apache announcement and suggested mitigation:

http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110824161640.122D387DD@minotaur.apache.org%3E

          # Drop the Range header when more than 5 ranges.
          # CVE-2011-3192
          SetEnvIf Range (,.*?){5,} bad-range=1
          RequestHeader unset Range env=bad-range

# /usr/apache2/bin/apachectl configtest
Syntax error on line 18 of /etc/apache2/httpd.conf:
header unset takes two arguments

Has anyone seen information specific to apache from Solaris on
preventing this attack?


More information about the sunmanagers mailing list