DescriptionA denial of service vulnerability has been found in the way the multiple
overlapping ranges are handled by the Apache HTTPD server (both versions):
An attack tool is circulating in the wild. Active use of this tools has
The attack can be done remotely and with a modest number of requests can
cause very significant memory and CPU usage on the server.
The default Apache HTTPD installation is vulnerable.
There is currently no patch/new version of Apache HTTPD which fixes this
vulnerability. This advisory will be updated when a long term fix
ResolutionWhile the core issue should certianly be addressed within the Apache code itself, in the meantime, Parallels H-Sphere administrators could also use special rules for ModSecurity to mitigate this attack:
1. Enable the apache_securityor the apache_security2 module for the web servers in the Parallels H-Sphere Control Panel (on the menu path: E.Manager → P.Servers → Physical Server Parameters)
2. Download the attached shell script into a temporary directory on the web server.
3. Run this script on the web server:
4. Reload httpd service:
· on Linux
· on FreeBSD
5. Repeat 2 – 4 steps on the each web servers