Apache Killer DoS Bug Patched By Oracle

Oracle issued an emergency patch to fix a security vulnerability in Oracle application servers that are based on the Apache Web server software.

Apache developers rushed out a patch a few weeks ago to close a bug that allowed attackers to launch denial-of-service (DoS) attacks on Web servers running Apache 2.0 and 2.2. Oracle’s out-of-band update would fix the same issue on Oracle Fusion Middleware, Oracle Application Server and Oracle Enterprise Manager, according to a critical patch update advisory from the database giant. These systems are still commonly deployed in the enterprise.

No Authorisation Needed

Without needing a user name or password, attackers can remotely exploit the flaw that sends extremely large blocks of information in the headers in Apache HTTP Server. When the victim server tries to process the data, memory and CPU resources are exhausted, resulting in a DoS attack. While the bug has been known since 2007, a researcher posted an “Apache Killer” Perl script on the Full Disclosure mailing list in August that made it easier to launch these attacks.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible,” Oracle said in the security alert.

The issue also exists in Apache 1.3, but Apache developers decided not to patch that version because it was no longer supported. Similarly, Oracle patched only the most recent versions that are based on Apache 2.0 and 2.2. The fix is available for Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0 and 11.1.1.5.0; Oracle Application Server 10g Release 3, version 10.1.3.5.0; and Oracle Application Server 10g Release 2, version 10.1.2.3.0.

Administrators running a Mac-based server with Apache will still need to wait for Apple to deliver a patch because the Web Server is bundled inside Mac OS X.

The issue is “an urgent one”, Kurt Baumgartner, a senior security researcher at Kaspersky Lab, wrote on the SecureList blog. Attackers are targeting this vulnerability, as evidenced by the fact that “simple Perl scripts are publicly available”, he said. Considering the number of high-profile site takedowns that have already happened this year, site administrators are “urged to spend another day patching ASAP”, he added.

The National Vulnerability Database has assigned a Common Vulnerability Scoring System (CVSS) score of 7.8 for this vulnerability, according to the advisory, CVE-2011-3192. The score indicates that if exploited, the vulnerability could result in a “complete operating system denial of service”.

No DDoS At Oracle

Oracle downgraded the CVSS rating on its own advisory to a 5.0 because “a complete operating system denial of service is not possible on any platform supported by Oracle”. The HTTP Server on the servers will suffer denial of service, but the actual system will remain up and running, the company claimed.

Oracle assessed the vulnerability as serious enough to issue an out-of-band update instead of waiting for its next Critical Patch Update release, scheduled for 18 October.

Considering the seriousness of the bug and the speed Apache moved to patch the bug, it was “surprising” that Oracle waited till mid-September to patch an issue that was being publicly exploited, reported on and patched in August, Baumgartner said.