Apache HTTPD mod_proxy_ajp DoS (Sep 30, 2011)


The Apache HTTP server is the most popular web server used on the Internet. The server comes bundled with optional plug-in modules which are loaded at run-time to extend its functionality. Two technologies supported by the Apache HTTP server are the Apache JServ Protocol (AJP) and httpd based load balancing.

AJP is a binary protocol which routes requests from a web server to application servers. This is done by using a routing scheme where each application server is given a name, known as its ‘route’. This setup is usually used in high demand environments where clusters of servers are implemented. It is implemented through the module mod_proxy_ajp. Although load balancing can be performed with this protocol, the module mod_cluster can be used in addition to mod_proxy_ajp to provide additional load balancing capabilities. While mod_proxy_ajp creates channels between the web servers and the application servers, mod_cluster creates channels between the application servers and the web server to provide more detailed information about the server state. This allows the proxy to dynamically configure httpd workers based on the application server environment.

Typically, an HTTP request is receieved by the web server which is then forwarded to the appropriate backend server based on the load balancer’s information. HTTP requests include a request line and various headers. The Request-Line begins with a method token, followed by the Request-URI, the protocol version, and CRLF. An example of an HTTP request line follows:

 GET /test.html HTTP/1.1 Host: www.test.com 

A denial of service vulnerability exists in the mod_proxy_ajp module. The vulnerability is due to insufficient validation of HTTP requests. The vulnerable code does not properly handle some HTTP methods. When a malicious request is processed by the code, it returns an HTTP_INTERNAL_SERVER_ERROR which puts the proxy workers into an error state. At this point, the workers are unable to accept any connections, resulting in a denial of service condition. An unauthenticated, remote attacker can exploit this vulnerability by sending an HTTP request with an invalid method. Exploitation of this flaw results in a temporary denial of service condition.

SonicWALL has released two IPS signatures to address this issue. The following signature have been released:

  • 2063 – Apache mod_proxy_ajp DoS 2
  • 2065 – Apache mod_proxy_ajp DoS 2

This vulnerability has been assigned the id CVE-2011-3348 by mitre.
The vendor has released an advisory addressing this flaw.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.