Problem

The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges.

Resolution

To mitigate this flaw that could affect the AdminUI and ClientUI HTTP/S services in SecureTransport modify the <STHOME>/conf/admin.conf and <STHOME>/conf/httpd.conf to include the following:

1. Load the headers module by adding the following line in the httpd configuration files:
   
   LoadModule headers_module modules/mod_headers.so
   
   
2. Add the following to the end of the files:
   
   ## Drop the Range header when more than 5 ranges.
   ## CVE-2011-3192
   SetEnvIf Range (,.*?){5,} bad-range=1
   RequestHeader unset Range env=bad-range
   
   ## We always drop Request-Range; as this is a legacy
   ## dating back to MSIE3 and Netscape 2 and 3.
   RequestHeader unset Request-Range
   
   
3. Restart ST httpd services

*NOTE for Windows platform: Please note that Axway has released ST Server 5.1 SP2 Patch 11 (https://support.axway.com/en/downloads/download-details/id/38479), so the above workaround also apply for ST on Windows platform. If you are applying this workaround on a Windows platform, ST Server 5.1 SP2 Patch 11 must be installed as well, otherwise the Admin service will fail to start up.