Topic: Issue in Apache 2.2.15

[sldc1984]

Hi,

We are getting an issue in Apache 2.2.15 which is used in our production environment. Temporary solution is to restart the windows services, if not then we proceed to reboot the server. We just checking if there any solution on it. Apache 2.2.15 (httpd-2.2.15-win32-x86-no_ssl.msi) is installed in Windows server 2012 R2.

Your response is highly appreciated.

Regards,

[glsmith]

Sounds a lot like CVE-2011-3192. I'm not saying it is but the needed reboot of the machine sometimes makes it seem more likely a possibility. See the section "Type of Attack" in the advisory and note the "... grinding your server down to a halt."

If this is what you are facing, the best way to fix is upgrade Apache. You should have been keeping that thing updated all along as new releases came along but enough with the lecture.

Another possibility is mod_rangecount_improved. However note the caveat about it in the advisory linked above. It's not perfect but was a good enough workaround before 2.2.20 was released.

Apache 2.2 EOL'd back in July so it might be hard to find a 2.2.34 which was 2.2's final release.

You really should just bite the big bullet and finally get onto 2.4, and then keep it up-to-date.

You could also schedule a restart of Apache say every hour but that still may not help and eventually require the reboot. It will also heavily pollute the error log

[sldc1984]

Hi,

Thanks for your response.
Unfortunately, the application is still intact with the Apache 2.2.15. As for now our option is to upgrade it. What version do you preferred and process step for us to do without uninstalling the existing Apache.


Best Regards,