CVE-2011-3192

Severity

78%

Complexity

99%

Confidentiality

115%

The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.

The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.

CVSS 2.0 Base Score 7.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C).

Overview

Type

Apache Software Foundation

First reported 13 years ago

2011-08-29 15:55:00

Last updated 6 years ago

2018-11-30 21:29:00

Affected Software

Apache Software Foundation Apache HTTP Server 1.3

1.3

Apache Software Foundation Apache HTTP Server 1.3.0

1.3.0

Apache Software Foundation Apache HTTP Server 1.3.1

1.3.1

Apache Software Foundation Apache HTTP Server 1.3.1.1

1.3.1.1

Apache Software Foundation Apache HTTP Server 1.3.2

1.3.2

Apache Software Foundation Apache HTTP Server 1.3.3

1.3.3

Apache Software Foundation Apache HTTP Server 1.3.4

1.3.4

Apache Software Foundation Apache HTTP Server 1.3.5

1.3.5

Apache Software Foundation Apache HTTP Server 1.3.6

1.3.6

Apache Software Foundation Apache HTTP Server 1.3.7

1.3.7

Apache Software Foundation Apache HTTP Server 1.3.8

1.3.8

Apache Software Foundation Apache HTTP Server 1.3.9

1.3.9

Apache Software Foundation Apache 1.3.10

1.3.10

Apache Software Foundation Apache HTTP Server 1.3.11

1.3.11

Apache Software Foundation Apache HTTP Server 1.3.12

1.3.12

Apache Software Foundation Apache 1.3.13

1.3.13

Apache Software Foundation Apache HTTP Server 1.3.14

1.3.14

Apache Software Foundation Apache 1.3.15

1.3.15

Apache Software Foundation Apache 1.3.16

1.3.16

Apache Software Foundation Apache HTTP Server 1.3.17

1.3.17

Apache Software Foundation Apache HTTP Server 1.3.18

1.3.18

Apache Software Foundation Apache HTTP Server 1.3.19

1.3.19

Apache Software Foundation Apache HTTP Server 1.3.20

1.3.20

Apache Software Foundation Apache HTTP Server 1.3.22

1.3.22

Apache Software Foundation Apache HTTP Server 1.3.23

1.3.23

Apache Software Foundation Apache HTTP Server 1.3.24

1.3.24

Apache Software Foundation Apache HTTP Server 1.3.25

1.3.25

Apache Software Foundation Apache HTTP Server 1.3.26

1.3.26

Apache Software Foundation Apache HTTP Server 1.3.27

1.3.27

Apache Software Foundation Apache HTTP Server 1.3.28

1.3.28

Apache Software Foundation Apache HTTP Server 1.3.29

1.3.29

Apache Software Foundation Apache HTTP Server 1.3.30

1.3.30

Apache Software Foundation Apache HTTP Server 1.3.31

1.3.31

Apache Software Foundation Apache HTTP Server 1.3.32

1.3.32

Apache Software Foundation Apache HTTP Server 1.3.33

1.3.33

Apache Software Foundation Apache HTTP Server 1.3.34

1.3.34

Apache Software Foundation Apache HTTP Server 1.3.35

1.3.35

Apache Software Foundation Apache HTTP Server 1.3.36

1.3.36

Apache Software Foundation Apache HTTP Server 1.3.37

1.3.37

Apache Software Foundation Apache HTTP Server 1.3.38

1.3.38

Apache Software Foundation Apache HTTP Server 1.3.39

1.3.39

Apache Software Foundation Apache HTTP Server 1.3.41

1.3.41

Apache Software Foundation Apache HTTP Server 1.3.42

1.3.42

Apache Software Foundation Apache HTTP Server 1.3.65

1.3.65

Apache Software Foundation Apache HTTP Server 1.3.68

1.3.68

Apache Software Foundation Apache HTTP Server 2.0

2.0

Apache Software Foundation Apache HTTP Server 2.0.9a

2.0.9

Apache Software Foundation Apache HTTP Server 2.0.28

2.0.28

Apache Software Foundation Apache HTTP Server 2.0.28 Beta

2.0.28

Apache Software Foundation Apache HTTP Server 2.0.32

2.0.32

Apache Software Foundation Apache HTTP Server 2.0.32 Beta

2.0.32

Apache Software Foundation Apache HTTP Server 2.0.34 Beta

2.0.34

Apache Software Foundation Apache HTTP Server 2.0.35

2.0.35

Apache Software Foundation Apache HTTP Server 2.0.36

2.0.36

Apache Software Foundation Apache HTTP Server 2.0.37

2.0.37

Apache Software Foundation Apache HTTP Server 2.0.38

2.0.38

Apache Software Foundation Apache HTTP Server 2.0.39

2.0.39

Apache Software Foundation Apache HTTP Server 2.0.40

2.0.40

Apache Software Foundation Apache HTTP Server 2.0.41

2.0.41

Apache Software Foundation Apache HTTP Server 2.0.42

2.0.42

Apache Software Foundation Apache HTTP Server 2.0.43

2.0.43

Apache Software Foundation Apache HTTP Server 2.0.44

2.0.44

Apache Software Foundation Apache HTTP Server 2.0.45

2.0.45

Apache Software Foundation Apache HTTP Server 2.0.46

2.0.46

Apache Software Foundation Apache HTTP Server 2.0.47

2.0.47

Apache Software Foundation Apache HTTP Server 2.0.48

2.0.48

Apache Software Foundation Apache HTTP Server 2.0.49

2.0.49

Apache Software Foundation Apache HTTP Server 2.0.50

2.0.50

Apache Software Foundation Apache HTTP Server 2.0.51

2.0.51

Apache Software Foundation Apache HTTP Server 2.0.52

2.0.52

Apache Software Foundation Apache HTTP Server 2.0.53

2.0.53

Apache Software Foundation Apache HTTP Server 2.0.54

2.0.54

Apache Software Foundation Apache HTTP Server 2.0.55

2.0.55

Apache Software Foundation Apache HTTP Server 2.0.56

2.0.56

Apache Software Foundation Apache HTTP Server 2.0.57

2.0.57

Apache Software Foundation Apache HTTP Server 2.0.58

2.0.58

Apache Software Foundation HTTP Server 2.0.59

2.0.59

Apache Software Foundation Apache HTTP Server 2.0.60 dev

2.0.60

Apache Software Foundation HTTP Server 2.0.61

2.0.61

Apache Software Foundation Apache HTTP Server 2.0.63

2.0.63

Apache Software Foundation Apache HTTP Server 2.0.64

2.0.64

Apache Software Foundation Apache HTTP Server 2.2.0

2.2.0

Apache Software Foundation Apache HTTP Server 2.2.1

2.2.1

Apache Software Foundation Apache HTTP Server 2.2.2

2.2.2

Apache Software Foundation Apache HTTP Server 2.2.3

2.2.3

Apache Software Foundation Apache HTTP Server 2.2.4

2.2.4

Apache Software Foundation Apache HTTP Server 2.2.6

2.2.6

Apache Software Foundation Apache HTTP Server 2.2.8

2.2.8

Apache Software Foundation Apache HTTP Server 2.2.9

2.2.9

Apache Software Foundation Apache HTTP Server 2.2.10

2.2.10

Apache Software Foundation Apache HTTP Server 2.2.11

2.2.11

Apache Software Foundation Apache HTTP Server 2.2.12

2.2.12

Apache Software Foundation Apache HTTP Server 2.2.13

2.2.13

Apache Software Foundation Apache HTTP Server 2.2.14

2.2.14

Apache Software Foundation Apache HTTP Server 2.2.15

2.2.15

Apache Software Foundation Apache HTTP Server 2.2.16

2.2.16

Apache Software Foundation Apache HTTP Server 2.2.18

2.2.18

Apache Software Foundation Apache HTTP Server 2.2.19

2.2.19

References

20110824 Re: Apache Killer

http://blogs.oracle.com/security/entry/security_alert_for_cve_2011

APPLE-SA-2011-10-12-3

openSUSE-SU-2011:0993

SUSE-SU-2011:1000

SUSE-SU-2011:1007

SUSE-SU-2011:1010

SUSE-SU-2011:1216

SUSE-SU-2011:1229

[announce] 20110824 Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x \(CVE-2011-3192\)

Vendor Advisory

[dev] 20110823 Re: DoS with mod_deflate & range requests

Patch

HPSBUX02702

HPSBUX02707

SSRT100619

SSRT100624

SSRT100852

SSRT100966

74721

20110820 Apache Killer

Exploit

45606

Vendor Advisory

45937

46000

46125

46126

1025960

http://support.apple.com/kb/HT5002

http://www.apache.org/dist/httpd/Announcement2.2.html

20110830 Apache HTTPd Range Header Denial of Service Vulnerability

17696

Exploit

http://www.gossamer-threads.com/lists/apache/dev/401638

VU#405811

US Government Resource

MDVSA-2011:130

MDVSA-2013:150

http://www.oracle.com/technetwork/topics/security/alert-cve-2011-3192-485304.html

http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html

http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html

http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html

RHSA-2011:1245

RHSA-2011:1294

RHSA-2011:1300

RHSA-2011:1329

RHSA-2011:1330

RHSA-2011:1369

49303

USN-1199-1

https://bugzilla.redhat.com/show_bug.cgi?id=732928

Exploit

apache-http-byterange-dos(69396)

https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0

https://issues.apache.org/bugzilla/show_bug.cgi?id=51714

Exploit

[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

oval:org.mitre.oval:def:14762

oval:org.mitre.oval:def:14824

oval:org.mitre.oval:def:18827

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.