Interstage HTTP Server: Security Vulnerability Problem (CVE-2011-3192). February 20th, 2012

Notes on using this web page

1. Description

Due to a problem with the processing of the Range header in Apache HTTP Server, Denial of Service (DoS) vulnerability (CVE-2011-3192) have been confirmed.

Apache HTTP Server Version 2.0-based Interstage HTTP Server is affected by this vulnerability.
Apache HTTP Server Version 1.3-based Interstage HTTP Server is not affected by this vulnerability.

Fujitsu provides security patches shown in 3. Please apply them as soon as possible.

2. Impact

A modified request sent by a remote attacker may consume large amounts of memory and CPU on the Web server and cause Denial of Service (DoS).

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT-compatible machine, PRIMEQUEST, SPARC Enterprise

3-2. Affected products and required patch

1. For products where the patch ID is "None", no patch will be provided, since Apache HTTP Server Version 1.3 on which Interstage HTTP Server based is not affected by this vulnerability.

The following "3-3 workaround" depends on the product. Refer to the letter in the square brackets at the end of the product name for details.

Note: Determining the affected product

To check the software version, refer to the "FUJITSU SOFTWARE RELEASE GUIDE" supplied with the product.

3-3. Workaround

To avoid the problem, edit the environment definition file (httpd.conf) in one of the following ways. After the file is edited, Interstage HTTP Server must be restarted.
Additionally, the method that outputs and confirms the Range header and Request-Range header content in the access log is also defined.

• For [a] products: According to the Apache advisory, there are no vulnerability effects. However, it is recommended that the definition be changed since unexpected loads may occur.
  1. Set an error to occur if too many ranges are specified in the Range header of the request.
     • < Side Effect >
       • Clients which specifis too many ranges in the Range header may not run correctly.
     • < Note >
       • Check the LoadModule and AddModule directive definitions of the mod_rewrite module. If directives are enabled in the initial settings definition of the Interstage HTTP Server environment definition file (httpd.conf), change them to comment lines to disable them, and put the mod_rewrite module after all the LoadModule directive definitions so that it takes priority of other modules.
       • In the virtual host, set the rewrite feature directive (RewriteEngine/RewriteCond/RewriteRule) for each virtual host.
     • < Example >
       • Set an error to occur when requests are specified in more than 5 ranges in the Range header:
           ...
         #LoadModule info_module modules/mod_info.so
         #LoadModule speling_module modules/mod_speling.so
         #LoadModule rewrite_module modules/mod_rewrite.so
         #LoadModule anon_auth_module modules/mod_auth_anon.so
         #LoadModule dbm_auth_module modules/mod_auth_dbm.so
           ...
         AddModule mod_alias.c
         #AddModule mod_rewrite.c
         AddModule mod_access.c
           ...
         LoadModule jk2_module "C:/Interstage/F3FMjs4/gateway/mod_jk2.dll"
           ...
         
         LoadModule rewrite_module modules/mod_rewrite.so
         AddModule mod_rewrite.c
         
         # Reject request when more than 5 ranges in the Range: header.
         # CVE-2011-3192
         #
         RewriteEngine on
         RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
         RewriteCond %{HTTP:request-range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
         RewriteRule .* - [F]
  For [a] products, the method that outputs the Range header and Request-Range header content to the access log is shown as follows:
  • Add the LogFormat directive.
    LogFormat "%h %l %u %t \"%r\" %&gt;s %b \"%{Range}i\" \"%{Request-Range}i\"" ihs-range
  • Change the format nickname specified for the CustomLog directive.
    Before change: CustomLog "|ihsrlog -s logs/accesslog 1 5" common
    After change: CustomLog "|ihsrlog -s logs/accesslog 1 5" ihs-range
• For [b] products:
  According to the Apache advisory, there are no vulnerability effects. However, it is recommended that the definition be changed since unexpected loads may occur.
  
  1. Set an error to occur if too many ranges are specified in the Range header of the request.
     
     • < Side Effect >
       • Clients which specifis too many ranges in the Range header may not run correctly.
     • < Note >
       • Check the LoadModule and AddModule directive definitions of the mod_rewrite module. If directives are enabled in the initial settings definition of the Interstage HTTP Server environment definition file (httpd.conf), change them to comment lines to disable them, and put the mod_rewrite module after all the LoadModule directive definitions so that it takes priority of other modules.
       • In the virtual host, set the rewrite feature directive (RewriteEngine/RewriteCond/RewriteRule) for each virtual host.
     • < Example >
       • Set an error to occur when requests are specified in more than 5 ranges in the Range header:
         
           ...
         LoadModule vhost_alias_module libexec/mod_vhost_alias.so
         LoadModule env_module libexec/mod_env.so
         #LoadModule rewrite_module libexec/mod_rewrite.so
         LoadModule access_module libexec/mod_access.so
         LoadModule auth_module libexec/mod_auth.so
           ...
         AddModule mod_alias.c
         #AddModule mod_rewrite.c
         AddModule mod_access.c
           ...
         LoadModule jk2_module /opt/FJSVjs4/gateway/mod_jk2.so
           ...
         
         LoadModule rewrite_module libexec/mod_rewrite.so
         AddModule mod_rewrite.c
         
         # Reject request when more than 5 ranges in the Range: header.
         # CVE-2011-3192
         #
         RewriteEngine on
         RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
         RewriteCond %{HTTP:request-range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
         RewriteRule .* - [F]
  For [b] products, the method that outputs the Range header and Request-Range header content to the access log is shown as follows:
  • Add the LogFormat directive.
    LogFormat "%h %l %u %t \"%r\" %&gt;s %b \"%{Range}i\" \"%{Request-Range}i\"" ihs-range
  • Change the format nickname specified for the CustomLog directive.
    Before change: CustomLog "|/opt/FJSVihs/bin/ihsrlog -s /opt/FJSVihs/logs/accesslog 1 5" common
    After change: CustomLog "|/opt/FJSVihs/bin/ihsrlog -s /opt/FJSVihs/logs/accesslog 1 5" ihs-range
• For [c] products:
  1. Set an error to occur if too many ranges are specified in the Range header of the request.
     • < Side Effect >
       
       • Clients which specifis too many ranges in the Range header may not run correctly.
     • < Note >
       • In the virtual host, set the rewrite feature directive (RewriteEngine/RewriteCond/RewriteRule) for each virtual host.
     • < Example >
       • Set an error to occur when requests are specified in more than 5 ranges in the Range header:
         
         LoadModule headers_module "C:/Interstage/F3FMihs/modules/mod_headers.so"
         LoadModule rewrite_module "C:/Interstage/F3FMihs/modules/mod_rewrite.so"
         
         # Reject request when more than 5 ranges in the Range: header.
         # CVE-2011-3192
         #
         RewriteEngine on
         RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
         RewriteRule .* - [F]
         
         # We always drop Request-Range; as this is a legacy
         # dating back to MSIE3 and Netscape 2 and 3.
         RequestHeader unset Request-Range
  2. Disable the Range header.
     • < Side Effect >
       • Clients which specifis too many ranges in the Range header may not run correctly.
     • < Example >
       • LoadModule headers_module "C:/Interstage/F3FMihs/modules/mod_headers.so"
         
         RequestHeader unset Range
         
         # We always drop Request-Range; as this is a legacy
         # dating back to MSIE3 and Netscape 2 and 3.
         RequestHeader unset Request-Range
  For [c] products, the method that outputs the Range header and Request-Range header content to the access log is shown as follows:
  • Add the LogFormat directive.
    LogFormat "%h %l %u %t \"%r\" %&gt;s %b %A:%p %{Host}i %P %S %{UNIQUE_ID}e \"%{Range}i\" \"%{Request-Range}i\"" ihs-range
  • Change the format nickname specified for the CustomLog directive.
    Before change: CustomLog "|ihsrlog.exe -s logs/accesslog 1 5" ihs-analysis
    After change: CustomLog "|ihsrlog.exe -s logs/accesslog 1 5" ihs-range
• For [d] products:
  1. Set an error to occur if too many ranges are specified in the Range header of the request.
     • < Side Effect >
       • Clients which specifis too many ranges in the Range header may not run correctly.
     • < Note >
       • In the virtual host, set the rewrite feature directive (RewriteEngine/RewriteCond/RewriteRule) for each virtual host.
     • < Example >
       • Set an error to occur when requests are specified in more than 5 ranges in the Range header:
         
         LoadModule headers_module "/opt/FJSVihs/modules/mod_headers.so"
         LoadModule rewrite_module "/opt/FJSVihs/modules/mod_rewrite.so"
         
         # Reject request when more than 5 ranges in the Range: header.
         # CVE-2011-3192
         #
         RewriteEngine on
         RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
         RewriteRule .* - [F]
         
         # We always drop Request-Range; as this is a legacy
         # dating back to MSIE3 and Netscape 2 and 3.
         RequestHeader unset Request-Range
  2. Disable the Range header.
     • < Side Effect >
       • Clients that use HTTP streaming may not run correctly.
     • < Example >
       • LoadModule headers_module "/opt/FJSVihs/modules/mod_headers.so"
         
         RequestHeader unset Range
         
         # We always drop Request-Range; as this is a legacy
         # dating back to MSIE3 and Netscape 2 and 3.
         RequestHeader unset Request-Range
  For [d] products, the method that outputs the Range header and Request-Range header content to the access log is shown as follows:
  • Add the LogFormat directive.
    LogFormat "%h %l %u %t \"%r\" %&gt;s %b %A:%p %{Host}i %P %S %{UNIQUE_ID}e \"%{Range}i\" \"%{Request-Range}i\"" ihs-range
  • Change the format nickname specified for the CustomLog directive.
    Before change: CustomLog "|/opt/FJSVihs/bin/ihsrlog -s logs/accesslog 1 5" ihs-analysis
    After change: CustomLog "|/opt/FJSVihs/bin/ihsrlog -s logs/accesslog 1 5" ihs-range

4. Related information

• CVE-2011-3192
  The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192

5. Revision history

• February 20th, 2012: 7th release
  • Change the Patch ID in "3-2. Affected products and required patch".
• December 28th, 2011: 6th release
  • Change the Patch ID in "3-2. Affected products and required patch".
  • Add the following products to "3-2. Affected products and required patch".
    • Interstage Application Server Enterprise Edition for Windows [c]    V10.0.0    Windows 2003/ 2003R2/ 2008/ 2008R2
    • Interstage Application Server Standard-J Edition for Windows [c]    V10.0.0    Windows 2003/ 2003R2/ 2008/ 2008R2
    • Interstage Application Server Enterprise Edition for Windows [c]    V10.0.0    Windows(EM64T) 2003/ 2003R2/ 2008/ 2008R2
    • Interstage Application Server Standard-J Edition for Windows [c]    V10.0.0    Windows(EM64T) 2003/ 2003R2/ 2008/ 2008R2
    • Interstage Application Server Enterprise Edition [d]    V10.0.0    Solaris 9/ 10
    • Interstage Application Server Standard-J Edition [d]    V10.0.0    Solaris 9/ 10
    • Interstage Application Server Enterprise Edition for Linux [d]    V10.0.0    RHEL5(x86)/ RHEL5(Intel64)
    • Interstage Application Server Standard-J Edition for Linux [d]    V10.0.0    RHEL5(x86)/ RHEL5(Intel64)
    • Interstage Application Server Enterprise Edition for Linux [d]    V10.0.0    RHEL6(x86)/ RHEL6(Intel64)
    • Interstage Application Server Standard-J Edition for Linux [d]    V10.0.0    RHEL6(x86)/ RHEL6(Intel64)
    • Interstage Application Server Enterprise Edition for Linux [d]    V10.0.0    RHEL5(Intel64)
    • Interstage Application Server Standard-J Edition for Linux [d]    V10.0.0    RHEL5(Intel64)
    • Interstage Application Server Enterprise Edition for Linux [d]    V10.0.0    RHEL6(Intel64)
    • Interstage Application Server Standard-J Edition for Linux [d]    V10.0.0    RHEL6(Intel64)
    • Interstage Studio Standard-J Edition for Windows [c]    V10.0.0    Windows 2003/ 2003R2/ 2008/ 2008R2/ XP/ Vista/ 7
• December 21st, 2011: 5th release
  • Change the Patch ID in "3-2. Affected products and required patch".
• December 15th, 2011: 4th release
  • Change the Patch ID in "3-2. Affected products and required patch".
• December 12th, 2011: 3rd release
  • Change the Patch ID and Scheduled Date in "3-2. Affected products and required patch".
• December 2nd, 2011: 2nd release
  • Add the patch schedule to "3-2. Affected products and required patch".
• November 7th, 2011: Initial release