PT-2011-1007 · Apache+2 · Apache Http Server+2

Kingcope

Published

2011-05-11

Updated

2026-03-10

CVE-2011-3192

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 1.3.x through 2.0.64 Apache HTTP Server versions 2.2.x through 2.2.19

Description The issue arises from the incorrect handling of HTTP requests with modified Range header content, leading to the device ceasing to respond to HTTP requests. Specifically, the byterange filter in the Apache HTTP Server allows remote attackers to cause a denial of service via a Range header that expresses multiple overlapping ranges. This has been exploited in the wild, resulting in memory and CPU consumption.

Recommendations For Apache HTTP Server versions 1.3.x through 2.0.64, update to a version later than 2.0.64 to resolve the issue. For Apache HTTP Server versions 2.2.x through 2.2.19, update to a version later than 2.2.19 to resolve the issue. As a temporary workaround, consider restricting access to the Range header in HTTP requests to minimize the risk of exploitation.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-399

Related Identifiers

APACHERANGECHECK

BDU:2014-00049

CVE-2011-3192

DSA-2298-1

ELSA-2011-1245

HPSBUX02702

HPSBUX02707

OPENSUSE-SU-2024:10268-1

RHSA-2011:1245

RHSA-2011:1294

RHSA-2011:1300

RHSA-2011:1329

RHSA-2011:1369

RHSA-2011_0507

RHSA-2011_1245

RHSA-2011_1294

RHSA-2011_1391

Affected Products

Apache Http Server

Hp-Ux

Red Hat

PT-2011-1007 · Apache+2 · Apache Http Server+2

CVE-2011-3192

Weakness Enumeration

Related Identifiers

Affected Products

References · 136