Update Protection against Apache mod_proxy Interim Responses Denial of Service

Vulnerability
Protection

Check Point Reference:	CPAI-2009-015
Date Published:
Severity:
Source:	Secunia Advisory: SA30621
Industry Reference(s):	CVE-2008-2364
Protection Provided by:	IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Apache 2.0.x Apache 2.2.x
Vulnerability Description A vulnerability has been identified in the popular Web server Apache, specifically in the mod_proxy module. The vulnerability can be exploited to consume large amounts of memory by tricking mod_proxy into sending an overly large number of interim responses to the client. Successful exploitation would result in denial of service.

Update/Patch Available Visit the SVN repository. http://svn.apache.org/viewvc/httpd/ht...6154&r2=666153&pathrev=666154
Vulnerability Details The vulnerability is caused by an error in the "ap_proxy_http_process_response()" function when sending interim responses to the client, potentially resulting in a denial of service.

Protection Overview
By enabling this protection, IPS-1 will detect and block a proxy exchange with more interim responses than the configured threshold. This threshold can be configured via the variable ' Maximum amount of interim HTTP responses per TCP connection'.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW 2, and select the Apache Attacks protection group
3. Click Apache mod_proxy maximum interim responses (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: Attacks against Apache web servers
Description: Apache mod_proxy maximum interim responses

Legal Notice for Threat Center Advisories