KB Article #72181

Apache legacy Request-Range header vulnerability (CVE-2011-3192)


The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges.



To mitigate this flaw that could affect the AdminUI and ClientUI HTTP/S services in SecureTransport modify the <STHOME>/conf/admin.conf and <STHOME>/conf/httpd.conf to include the following:


  1. Load the headers module by adding the following line in the httpd configuration files:

    LoadModule headers_module modules/mod_headers.so

  2. Add the following to the end of the files:

    ## Drop the Range header when more than 5 ranges.
    ## CVE-2011-3192
    SetEnvIf Range (,.*?){5,} bad-range=1
    RequestHeader unset Range env=bad-range

    ## We always drop Request-Range; as this is a legacy
    ## dating back to MSIE3 and Netscape 2 and 3.
    RequestHeader unset Request-Range

  3. Restart ST httpd services


*NOTE for Windows platform: Please note that Axway has released ST Server 5.1 SP2 Patch 11 (https://support.axway.com/en/downloads/download-details/id/38479), so the above workaround also apply for ST on Windows platform. If you are applying this workaround on a Windows platform, ST Server 5.1 SP2 Patch 11 must be installed as well, otherwise the Admin service will fail to start up.