Apache Software Foundation patches denial-of-service flaw in web servers

IT administrators running Apache web servers have been urged to update to version 2.2.20 of the Apache HTTPD server to protect against a denial-of-service (DoS) vulnerability being exploited in the wild.

The Apache Software Foundation (ASF) warned last week of an attack tool in the wild designed to take advantage of the flaw, which affects all versions of Apache 1.3 and Apache 2.

"A DoS vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server," the advisory said at the time.

"An attack tool is circulating in the wild. Active use of this has been observed. The attack can be done remotely and, with a modest number of requests, can cause very significant memory and CPU use on the server."

The ASF has now released an update to the web server software which will "fix handling of byte-range requests to use less memory, to avoid denial of service".

Chester Wisniewski, senior security advisor at Sophos Canada, said that all IT admins should apply the fix as soon as possible.

"Unfortunately, as we see all too frequently, many Linux and Unix administrators 'set and forget' their installations and never bother to look after their servers," he added.

"The Apache team should be applauded for testing and releasing an important security fix so quickly. Now it is up to you, the IT administrators who are using Apache, to follow through and apply these fixes."

Apache web servers are the most popular on the planet, various estimates putting its share of the market at around 65 per cent.