No quick death for Apache Killer

A patch is out for pernicious denial-of-service vulnerability in Apache Web server, but its adoption rate is glacial

The Apache Foundation last week released an update to its flagship Web server to patch a pernicious denial-of-service vulnerability in the server software, a week after a security researcher published an easily executed attack, known as Apache Killer, to a well-known mailing list.

The vulnerability is trivial to exploit and causes an Apache Web server to use up its memory and crash. The Apache Foundation update, Apache 2.2.20, fixes the issue and its recommended that companies immediately patch their servers.

Don't expect the issue to go away, however. While more than two-thirds of websites use Apache, according to W3Tech, only half are using version 2.2 and far fewer are using a more current revision of the code. For example, just a tad more than 5 percent of all Web servers using Apache 2.2 are running the penultimate revision, Apache 2.2.19.

"The patching process is going to be highly dependent on the organization," says Lori MacVittie, senior technical marketing manager for F5 Networks, an IT infrastructure firm. "For many organizations, they don't think it is a huge risk for them. That, of course, just encourages attackers to try the attack on any site that they can."

The vulnerability is part a problem with Apache and part a problem with the loose protocol created by the Internet Engineering Task Force (IETF) to handle Web page headers. While the current vulnerability occurs in the way that Apache handles the Range header, which is used to break up Web pages for handling by thin clients with smaller memory footprints, other header fields -- there are nearly 50 -- have caused similar problems. The HTTP Accept header, for example, has been used to try to execute commands on the Web server.

"This is a vulnerability in the actual protocol itself -- by adding new headers all the time, we are increasing our threat surface," says Jeff Costlow, principal security engineer with F5 Networks. "Apache wrote an implementation against a pretty ill-defined spec, and Apache implemented poorly when there was a long set of range."

The protocol leaves room for poor and broken implementations, he says.

For companies that cannot apply the patch immediately, the Apache Foundation also has a list of methods to mitigate the security flaw. In addition, companies running a Web application firewall in front of their site can block attacks.

This story, "No quick death for Apache Killer," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.