『Apache HTTP Serverの脆弱性を突く「Apache Killer」——パッチは48時間以内にリリース予定』(SourceForge.JP)経由で"Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)"(Mailing list archives: announce@httpd.apache.org),
However there are several immediate options to mitigate this issue until
a full fix is available:
1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
either ignore the Range: header or reject the request.
Option 1: (Apache 2.0 and 2.2)
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
Option 2: (Also for Apache 1.3)
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]
The number 5 is arbitrary. Several 10's should not be an issue and may be
required for sites which for example serve PDFs to very high end eReaders
or use things such complex http based video streaming.
P.S.)1 “CVE-2011-3192 Range header DoS vulnerability Apache HTTPD 1.3/2.x”(LowPriority),
削る場合はRangeヘッダだけでは不十分でした。ということなので,Request-Rangeヘッダに対する対応も追加した...## Rangeヘッダ用 SetEnvIf Range (,.*?){5,} bad-range=1 RequestHeader unset Range env=bad-range ## Request-Rangeヘッダ用 SetEnvIf Request-Range (,.*?){5,} bad-range=1 RequestHeader unset Request-Range env=bad-range
2011年8月26日追記. ↩︎