|Applies To||RSA Validation Manager 3.1|
RSA Validation Manager 3.1
Security scan shows a possible denial of service vulnerability
The version of Apache HTTP Server running on the remote host is affected by a denial of service vulnerability. Making a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result in memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive. Exploit code is publicly available and attacks have reportedly been observed in the wild.
We have used the test script provided in the link http://seclists.org/fulldisclosure/2011/Aug/175 to test this vulnerability. We ran with 50 child processes and memory went up to 200 MB and it's not coming down also. But there is no Apache crash observed with this test result.
|Legacy Article ID||a55886|