Quick Fix for Apache CVE-2011-3192 – Ubuntu/Debian

Please note – Apache have released a fix to this issue, and as such the below guidance has now been superseded by their fix.

I have been aware of the Apache web server issue for the last few days, where an overly wide range is requested from the server, leading to a crash in the server. As a patch hasn’t yet been released by Apache, people are coding their own solutions, and one such solution was found at edwiget.name.

That fix was for CentOS based Linux distributions, so this re-write covers how to do the same fix under Debian based distributions.

Check to make sure that the headers module has been installed:

locate mod_headers

Then, add the config above to the headers module:

echo "# As found at http://www.edwiget.name/2011/08/quick-fix-for-apache-cve-2011-3192/
<IfModule mod_headers.c>
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (?:,.*?){5,5} bad-range=1
RequestHeader unset Range env=bad-range
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
# optional logging.
CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range
CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-req-range
</IfModule>" | sudo tee /etc/apache2/mods-available/headers.conf

And lastly, enable the module:

a2enmod headers

EDIT: 2011-08-26 as per Ed’s comment below. Many thanks!

2 thoughts to “Quick Fix for Apache CVE-2011-3192 – Ubuntu/Debian”

  1. thanks for your feedback. I also updated the SetEnvIf today and added a method for older Netscape as per apache foundation. You should also update your httpd.conf code too. The new code is below (not sure how the format will turn out):

    # Drop the Range header when more than 5 ranges.
    # CVE-2011-3192
    SetEnvIf Range (?:,.*?){5,5} bad-range=1
    RequestHeader unset Range env=bad-range
    # We always drop Request-Range; as this is a legacy
    # dating back to MSIE3 and Netscape 2 and 3.
    RequestHeader unset Request-Range
    # optional logging.
    CustomLog logs/range-CVE-2011-3192.log common env=bad-range
    CustomLog logs/range-CVE-2011-3192.log common env=bad-req-range

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.