Recently sample code was posted publicly that exploits a denial of service vulnerability in the Apache HTTP Server. This particular vulnerability is receiving considerable industry attention given the popularity of Apache httpd and amid reports that exploitation has been seen in the wild. This vulnerability has been assigned CVE ID CVE-2011-3192 and currently scores a 7.8/6.3 using CVSS. By combining inefficiencies inside the web server software with a protocol design peculiarity, an attacker could consume substantial server CPU and memory by issuing requests that contain many overlapping Range or Request-Range values. Successful exploitation would consume server resources to the point of starving those needed to field legitimate requests from other users.
↧