Over on the post “‘Devastating’ Apache bug leaves servers exposed • The Register” contains this text:
“‘Devastating’ Apache bug leaves servers exposed
Devs race to fix weakness disclosed in 2007 By Dan Goodin in San Francisco • Get more from this author
Posted in Security, 24th August 2011 18:05 GMT Free whitepaper – An Improved Architecture for High-Efficiency, High-Density Data Centers Maintainers of the Apache webserver are racing to patch a severe weakness that allows an attacker to use a single PC to completely crash a system and was first diagnosed 54 months ago.
Attack code dubbed “Apache Killer” that exploits the vulnerability in the way Apache handles HTTP-based range requests was published Friday on the Full-disclosure mailing list. By sending servers running versions 1.3 and 2 of Apache multiple GET requests containing overlapping byte ranges, an attacker can consume all memory on a target system.
“The behaviour when compressing the streams is devastating and can end up in rendering the underlying operating system unusable when the requests are sent parallely,” Kingcope, the researcher credited with writing and publishing the proof-of-concept attack code wrote Wednesday on Apache’s Bugzilla discussion list. “Symptoms are swapping to disk and killing of processes including but solely httpd processes.””
