View Issue Details

IDProjectCategoryView StatusLast Update
0006389CentOS-6-OTHERpublic2013-11-19 19:49
Reporterkabeiroi 
PriorityimmediateSeveritymajorReproducibilityalways
Status resolvedResolutionno change required 
PlatformRHEL6OSCentOS 6.4 64-BitOS VersionCentOS 6.4 64Bit
Product Version6.4 
Target VersionFixed in Version 
Summary0006389: Apachekiller.pl Vulnerability. REMOTE DENIAL OF SERVICE / Apache Remote Memory Exhaustion - VULNERABILITY / RDoS / ARME Attack
DescriptionThe stable version 2.2 of Apache which yum updates to is vulnerable to solely one attack at the moment because of the version "2.2". It seriously needs to be upgraded to 2.4.4 in the repositories because the Perl Script found here

http://seclists.org/fulldisclosure/2011/Aug/175

is capable of producing a Denial of Service attack effect on the 7th Layer "Application Layer" which is Apache. Please update Apache immediately Vulnerability Scanners are capable of finding this exploit as well. Please consult with CentOS developers, CentOS users which run Apache are in dire need for an upgrade to Apache 2.4.4 and compiling it from source is not very easy. Sorry to sound like a novice but the dependencies are not easy to deal with when compiling Apache 2.4.4 from Source. Thank you.
Steps To Reproducehttp://seclists.org/fulldisclosure/2011/Aug/175
Additional InformationDefault Apache in Repositories is vulnerable to a RDOS attack which is called Apache Remote Memory Exhaustion or ARME Attack. Please upgrade version in REPOs.

This little tiny script left my server hanging for about 4 minutes, and though the stability of CentOS maintained after the attack was done a simple "vmstat -s" showed my virtual memory usage went flying to the roof and might have actually crashed my server. Please upgrade the Apache version to 2.4.4 all CentOS systems running Apache 2.2 have this flaw!
TagsNo tags attached.

Activities

kabeiroi

kabeiroi

2013-04-09 04:11

reporter   ~0017176

Here is how it is performed.

http://www.metasploit.com/modules/auxiliary/dos/http/apache_range_dos
tigalch

tigalch

2013-04-09 07:34

manager   ~0017178

Apache will probably stay at 2.2 for the lifetime of CentOS-6 (or upstreams RHEL6). Fixes are usually packported, so the version you get from httpd has nothing to do with its vulnerability state. The CVE you mention is CVE-2011-3192, which is fixed with https://rhn.redhat.com/errata/RHSA-2011-1245.html since august 2011
tigalch

tigalch

2013-11-19 19:49

manager   ~0018368

Treating this now as RESOLVED. The mentioned CVE is fixed.

Issue History

Date Modified Username Field Change
2013-04-09 03:41 kabeiroi New Issue
2013-04-09 04:11 kabeiroi Note Added: 0017176
2013-04-09 07:34 tigalch Note Added: 0017178
2013-04-09 07:34 tigalch Status new => feedback
2013-11-19 19:49 tigalch Note Added: 0018368
2013-11-19 19:49 tigalch Status feedback => resolved
2013-11-19 19:49 tigalch Resolution open => no change required