Document Properties
Kbid
227Y47
Last Modified
26-Aug-2011
Added to KB
26-Aug-2011
Public Access
Everyone
Status
Online
Doc Type
TechTalk Newsletter
Related Document
HomeKnowledge Base227Y47
Share this document
Unscheduled TechTalk: A major Security Advice for Apache Webservers

Based on a bug in the processing of Byte-Range-Headers, the Webserver can be forced to overload. Multiple http connections and simultaneous GET requests with a special byte-range-header result in a vulnerability that affect Apache Webservers which have been delivered with an Enfinity Suite Installation.

Intershop TechTalk
An unscheduled Technical Newsletter for Supported Intershop Customers Security Advice

Major Security Advice:

Description of the problem:

As you probably noticed, on August, 24, a Security Advisory has been given according Apache Webserver 2.x.

On August, 26, a new update has been published:

Based on a bug in the processing of Byte-Range-Headers, the Webserver can be forced to overload. Multiple http connections and simultaneous GET requests with a special byte-range-header result in a vulnerability that affect Apache Webservers which have been delivered with an Enfinity Suite Installation.

Adjustment:

Apache provides several possible workarounds. We suggest you use the „Mitigation: 1), Option 1“ from the upper article.

Limit the Range-Requests by using the configuration "RequestHeader unset Range".

Therefore, the httpd.conf in the Main section has to be adjusted. Please include the following lines: 

# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

ATTENTION: Some older Apache version throw an error when starting with this settings:

Syntax error on line xxx of /etc/opt/intershop/eserver1/httpd/httpd.conf: header unset takes two arguments

In this case please use „Mitigation: 1), Option 2“ from the upper article: Make sure mod_rewrite is loaded and insert these settings in httpd.conf 

# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]

Please first test this workaround on a test system, because we cannot evaluate all possible side effects on individualized systems and therefore cannot give guarantees.

Next step:

Apache has already reacted and prospected an Update. As soon as this is available, we will check if Intershop needs to take actions. If that is the cause, we will inform you right away.
Note: On September 12, 2011 a Custom Fix for Apache 2.2.20 has been published, regarding all Enfinity 6.4 systems.

German Version:

Wichtiger Sicherheitshinweis:

Problembeschreibung

Wie Sie sicherlich schon mitbekommen haben, wurde am 24.8.2011 auf eine Sicherheitslücke im Apache Webserver 2.x hingewiesen.

Grundlage ist ein Fehler in der Verarbeitung von Byte-Range-Headern: Mit mehreren http-Verbindungen und gleichzeitigen GET requests mit speziellem byte-range-header kann der Webserver in kurzer Zeit zum Stillstand gebracht werden. Von diesem Verhalten sind auch die Apache Webserver betroffen, welche im Rahmen einer Enfinity Suite Installation ausgeliefert wurden.

Anpassung:

Apache stellt im obigen Artikel mehrere mögliche Workarounds zur Verfügung. Wir empfehlen „Mitigation: 1), Option 1“ daraus.

Begrenzen Sie die Range-Requests mittels der Konfiguration "RequestHeader unset Range".

Hierzu muß die httpd.conf in der Main section angepasst werden. Bitte fügen Sie folgende Zeilen ein: 

# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

ACHTUNG: Einige ältere Apache-Version werfen beim Start diesen Fehler:

Syntax error on line xxx of /etc/opt/intershop/eserver1/httpd/httpd.conf: header unset takes two arguments

In diesem Fall nutzen Sie bitte „Mitigation: 1), Option 2“ aus dem erwähnten Artikel: Stellen Sie sicher, daß mod_rewrite geladen wird und fügen Sie folgende Zeilen in die httpd.conf ein 

# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]

Bitte testen Sie diesen Workaround zuerst auf einem Testsystem, da wir in der Kürze der Zeit nicht alle Varianten ausreichend testen konnten und so mögliche Seiteneffekte nicht abschätzen können.

Nächste Schritte:

Apache hat bereits auf diese Problematik reagiert und ein Update in Aussicht gestellt. Sobald dieses zur Verfügung steht, werden wir prüfen, inwieweit weitere Aktionen seitens Intershop erfolgen müssen und Sie gegebenenfalls darüber informieren.
Info: Am 12. September wurde ein Custom Fix für Apache 2.2.20 veröffentlicht, der alle Enfinity 6.4 Systeme sichert.

Intershop TechTalk is distributed quarterly to all Intershop customers with Support Agreements. Intershop Customer Support continually strives to improve its services, including this newsletter. As always, your feedback is important. Please send your suggestions to techtalk@intershop.de.
Disclaimer
The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.
The Intershop Knowledge Portal uses only technically necessary cookies. We do not track visitors or have visitors tracked by 3rd parties. Please find further information on privacy in the Intershop Privacy Policy and Legal Notice.
Home
Knowledge Base
Product Releases
Log on to continue
This Knowledge Base document is reserved for registered customers.
Log on with your Intershop Entra ID to continue.
Write an email to supportadmin@intershop.de if you experience login issues,
or if you want to register as customer.