Reference: CERT-EU Security Advisory 2011-0003 Title: Oracle emergency patch for Apache HTTPD DoS vulnerability Version history: 20.09.2011 Initial publication Summary ======= Oracle announced[1] the availability of a patch for a denial of service vulnerability in Apache HTTPD. The patch addresses the security issue CVE-2011-3192[2] which is applicable to Oracle HTTP Server products based on Apache 2.0 or 2.2. This vulnerability may be remotely exploitable without authentication to impact the availability of un-patched systems. Oracle estimated the CVSS Base Score of 5.0 (complete denial of service of the Oracle HTTP Server but not the Operating System). Other system using Apache HTTPD are affected by this vulnerability as well[2]. Apache has released an updated version of the HTTP Server (v2.2.21)[3], to which all Apache Servers version 2.0 or 2.2 should be upgraded. List (not necessarily exhaustive) of affected platforms can also be found in [4]. National Vulnerability Database (US) has given this vulnerability CVSS Base Score of 7.8 (complete Operating System denial of service). What can you do? ================ The patch is available both from Oracle[1], and an updated version of the HTTP Server from Apache[3]. The potentially affected systems should be patched/upgraded as soon as possible. What to tell your users? ======================== This vulnerability does not concern the end users. Only the system administrators need to take action. More information ================ [1] Oracle Security Alert http://www.oracle.com/technetwork/topics/security/alert-cve-2011-3192-485304.html [2] Vulnerability CVE-2011-3192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192 [3] Apache HTTP Server 2.2.21 Released http://httpd.apache.org/ [4] Apache vulnerability details and list of affected platforms http://xforce.iss.net/xforce/xfdb/69396