Apache 2.2.20 Released - Resolves "Apache Killer" Hole

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
dayo
Forum Regular
Forum Regular
Posts: 158
Joined: Sun Jul 12, 2009 1:33 pm

Apache 2.2.20 Released - Resolves "Apache Killer" Hole

Unread post by dayo »

v2.2.20 released to tackle so called "Apache Killer" Range header DoS vulnerability: http://www.apache.org/dist/httpd/Announcement2.2.html

Explained: http://www.theregister.co.uk/2011/08/30 ... ln_patched
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Apache 2.2.20 Released - Resolves "Apache Killer" Hole

Unread post by mikeshinn »

ASL and real time rules users are already immune to this vulnerability and do not need to upgrade apache. Please see this forum post from last month:

https://www.atomicorp.com/forums/viewto ... =13&t=5321
dayo
Forum Regular
Forum Regular
Posts: 158
Joined: Sun Jul 12, 2009 1:33 pm

Re: Apache 2.2.20 Released - Resolves "Apache Killer" Hole

Unread post by dayo »

Didn't expect any less.

Given the other admittedly small improvements, can we all look forward to an update? I assume this will have the added benefit of making the rules unnecessary since there are legitimate requests that can have many ranges. The Adobe PDF Reader apparently generates a boatload of them.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Apache 2.2.20 Released - Resolves "Apache Killer" Hole

Unread post by mikeshinn »

I assume this will have the added benefit of making the rules unnecessary since there are legitimate requests that can have many ranges.
Thank you for the question, yes and no. Does this mean that 2.2.20 is not vulnerable to this specific vulnerability, more than likely. Whether apache is, or is not vulnerable and disabling rules because you are no longer vulnerable is a different story. The downside of not being able to detect and respond to attacks, even if you are not vulnerable to them has its disadvantages:

https://atomicorp.com/company/blogs/231-tripwires.html

So you may want to consider leaving detection methods in place even if you are not vulnerable to the attack. An attack is an attack even if you are not vulnerable to it, and since its likely one attack means the bad guy is going to try another, its only possible to block them if you can detect them and the sooner you can do that the better. So you may want to keep rules even if you arent vulnerable to what they protect you against.
The Adobe PDF Reader apparently generates a boatload of them.
Our rules are smart enough to know the difference and will not false positive with smart ereaders, so you can safely use our protections with those kinds of applications. The other recommendations out there about this vulnerability will break pdf readers and will cause all sorts of havoc, so we do not recommend you use them.
dayo
Forum Regular
Forum Regular
Posts: 158
Joined: Sun Jul 12, 2009 1:33 pm

Re: Apache 2.2.20 Released - Resolves "Apache Killer" Hole

Unread post by dayo »

Great.

I totally agree with detection of attempts even if one is not vulnerable. The guy that tries the unsuccessful attempt is the same bad guy that will bring you down later given a chance.

What I meant was whether the so called "best version of apache" will be adopted by yourselves in any case.

Cheers
Post Reply