'Kill tool' released for unpatched Apache server vulnerability

'Kill tool' released for unpatched Apache server vulnerability

Summary: The open-source Apache Software Foundation warns that active use of a 'killapache' attack tool targeting an unpatched vulnerability has been observed.

SHARE:

The open-source Apache Foundation has warned that attack tool has been released for a serious vulnerability in the Apache HTTPD Web Server.

The 'killapache' attack tool is currently circulating in the wild. "Active use of this tools has been observed, Apache warned.

"The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server," according to an advisory that documents a denial-of-service flaw in the default Apache HTTPD installation.follow Ryan Naraine on twitter

The group described the issue as a range header DoS vulnerability and offered several pre-patch mitigations to limit the damage from a malicious denial-of-server attack.

"Apache HTTPD users who are concerned about a DoS attack against their server should consider implementing any of the mitigations," Apache said.

A patch or new apache release for Apache 2.0 and 2.2 is expected later this week.

Topics: Open Source, Security, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • RE: 'Kill tool' released for unpatched Apache server vulnerability

    Wait a minute according to some people on this site open source software is so secure it can't be hacked!!!!
    Viper589
    • Links please

      @Knix96, to claims open source cant be hacked. A ridiculous position. <br><br>This story isn't about Apache HTTPD being hacked anyway. Please read about DoS. Are the MCSEs getting even less knowledgeable? Is it indeed possible?<br><br>This is a serious issue for those of us relying on Apache. Notes are critical reading.
      Richard Flude
      • RE: 'Kill tool' released for unpatched Apache server vulnerability

        @Richard Flude <br>"'Kill tool' released for unpatched Apache server vulnerability"<br>"This story isn't about Apache HTTPD being hacked anyway."<br> "Apache HTTPD users who are concerned about a DoS attack against their server should consider implementing any of the mitigations,..." <br><br>To quote Sesame Street, "One of these things is not like the others, guess which one it is.."
        TechNickle
      • Fbs

        Education should not stop with Sesame street.
        Richard Flude
    • RE: 'Kill tool' released for unpatched Apache server vulnerability

      According to some people the moon is made of cheese, therefore the moon isn't good. Apache on the other hand is one of the key pieces of software that got the Internet started. Its free and runs on everything, not just PCs. I consider denial-of-service a lesser problem, but taking control of the server sets off my alarm bells.
      lschw1
      • RE: 'Kill tool' released for unpatched Apache server vulnerability

        @lschw1

        a lesser problem? tell to a Hoster :)
        froldan0
    • RE: 'Kill tool' released for unpatched Apache server vulnerability

      @Knix96 nothing is too secure to be hacked. A patch will be available aoon or is already available. usually Apache patches pretty fast.
      Jimster480
  • RE: 'Kill tool' released for unpatched Apache server vulnerability

    I don't know about "some people", but my take on it is that the open-source community can fix a problem much quicker than proprietary software companies.
    j.q.public
    • Ahh. Wonderful recovery. Not.

      @j.q.public

      Even if I totally agree that one of the things that pro open source community members have said is that the open source community typically releases fixes faster then proprietary software vendors it most certainly doesn't negate the fact that at the very least "some" in the pro open source community have said a lot more then that.

      Its definitely one of those situations where "some" have made statements very clearly, that while falling somewhat short of claiming Superman like invulnerability to attacks, they have certainly made claims that are clearly designed to make one believe that these kinds of attacks are "practically" or "virtually" impossible. They make it sound like the potential for such vulnerabilities to cause any concern are so far removed from reality there is "virtually" nothing to fear from the possibility of such an attack.

      As always, I can really only say one thing about such claims. If anyone ever thinks that if the whole world went open source/Linux tomorrow, that thee hacker community would quickly be drummed out of business simply because such operating systems are so difficult to do any damage to...they are out of their minds. You can count on as a fact that what the hacker community would do is in fact anything and everything it could possibly take to step up their efforts by any means possible and necessary to make hacking a Linux box as close to as profitable as any other operating system.

      Count on it. Its not a fairy tale, its the same determination that invented the computer and put a man on the moon. One thing you can say about humans, there is always a large enough number of them in every walk of life that will never give up and eventually come up with the solution to the problem at hand. And when that begets a new problem, there will always be plenty who will begin anew right away on that one.
      Cayble
    • RE: 'Kill tool' released for unpatched Apache server vulnerability

      @j.q.public Not arguing about quick time to patch in the open-source world, but the blog author posted a link to "pre-patch mitigations" that can be applied in the meantime. Since this vulnerability involves a server application and the attack is ITW, sysadmins may choose to apply one of the suggested mitigation techniques until the patch is ready to be applied.
      Rabid Howler Monkey
    • RE: 'Kill tool' released for unpatched Apache server vulnerability

      @j.q.public <br><br>Mitigation != fix. Agreed? Raise your hands now...

      Afterall, unplugging your net cable is another 'mitigation' of sorts.
      TechNickle
  • RE: 'Kill tool' released for unpatched Apache server vulnerability

    Open source is still vulnerable to bug exploits (hacking and attacks); but unlike proprietary software, the community as a whole doesn't have to rely on some company to fix the problem, because they can debug it themselves immediately (with the know-how, of course).
    pdzdnet
    • RE: 'Kill tool' released for unpatched Apache server vulnerability

      @pdzdnet WTF does debugging have to do with patching vulnerabilities? I don't need the source to debug Windows apps, I just need public symbols.
      RvLeshrac
      • RE: 'Kill tool' released for unpatched Apache server vulnerability

        .
        a foot in both camps
      • RE: 'Kill tool' released for unpatched Apache server vulnerability

        @RvLeshrac<br>You miss the point. <br>Sure you can debug Windows apps from using the public synbols. However only a small number of Microsoft programmers can fix the problem whereas any competent member of the large number of people of the open-source community can submit a fix for review and subsequent distribution.
        a foot in both camps
    • And thats real nice.

      @pdzdnet

      But the one singular thing the open source community has absolutely got to keep in their mind if they want to keep it real when discussing the pro's and con's of lets say Windows vs. Linux for example, nobody outside of the open source community cares that much. At all.

      And thats simply because whatever inherent superior security measures, Linux for example, has embedded into its code that makes hacking more difficult, the majority of the world who does use Windows has not experienced anything close to the problems the "Anything but Microsoft" crowd so often likes to claim exist.

      Does Windows have some inherent risks? Yes, we all know it does. I for one will always agree that the sheer number of relentless attacks designed for Windows is alone enough for concern. But Windows users have for a very long time now been fully prepared to accept those risks because they exist the way they do often because Windows has been designed for an incredible breadth of backward and forward capabilities for both software and hardware as well as many ease of use features that dictate that the OS is very very very complex and sizable and certainly that always has the potential to create more leaks in a larger more complex and versatile ship, so to speak.

      The end result has been for the vast majority of the population the problems actually coming out of these potential risks have been mercifully few and the payoff of having such an easy to use diverse operating system has been great.

      So, this quick patching by the community is nice. But keep in mind, its not going to ever be an argument that has any sway in what kind of OS someone should choose unless security is so paramount that most other features can be ignored in favor of even marginal security improvements.

      Like maybe if your a super spy for the C.I.A. or something. And you can trust me, if a spy from the C.I.A. ever asks me what OS should he use for absolute maximum security I will recommend he takes a good look at something in the open source/Linux vein.
      Cayble
      • RE: 'Kill tool' released for unpatched Apache server vulnerability

        @Cayble
        Nicely put.
        boycottFUD
  • RE: 'Kill tool' released for unpatched Apache server vulnerability

    Our web site suffer this vulnerability and solve this take us so much time, this down time is something than was a big problem four our clients solve it take us 3 days and to work around we upload a old version. Where get help for free software to solve this problems?
    raranibar
    • Why not

      "several immediate options to mitigate this issue" are provided in the advisory linked to in the article and a patch is on it's way. What more help are you requiring?
      Richard Flude
      • RE: 'Kill tool' released for unpatched Apache server vulnerability

        @Richard Flude <br><br>Hmm.. so there is an issue... with a patch on it's way (otherwise, why patch?)... for what exactly?<br><br>Your previous post, "This is a serious issue for those of us relying on Apache."<br><br>And of what source is Apache, open per chance?<br><br>Moreover, why build a "Kill Tool" at all? Wait for it.. it'll come to you, ... hopefully.
        TechNickle