Description

A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server:

http://seclists.org/fulldisclosure/2011/Aug/175

An attack tool is circulating in the wild. Active use of this tools has been observed. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server.

This alert was generated using only banner information. It may be a false positive.

Affected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19).

Remediation

Upgrade to the latest version of Apache HTTP Server (2.2.20 or later), available from the Apache HTTP Server Project Web site.

References

CVE-2011-3192

Apache HTTPD Security ADVISORY

Apache httpd Remote Denial of Service (memory exhaustion)

Related Vulnerabilities

Undertow CVE-2022-4492 Vulnerability (CVE-2022-4492)

MySQL CVE-2018-2576 Vulnerability (CVE-2018-2576)

WordPress Plugin Paid Membership, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content-ProfilePress Cross-Site Scripting (3.2.15)

MySQL CVE-2017-3641 Vulnerability (CVE-2017-3641)

WordPress Plugin WP SMS Cross-Site Scripting (5.4.9)

Severity

Medium

Classification

CVE-2011-3192 CWE-399 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:A

Tags

Denial Of Service Missing Update