Summary
A serious vulnerability has been discovered in the version of Apache used by all shipping versions of PureMessage for UNIX that makes it vulnerable to Denial-of-Service (DoS) attacks. A manual configuration change is required to close this vulnerability, and should be applied to all of your PureMessage UNIX systems immediately.
Details
CVE-2011-3192 is a Range header DoS vulnerability recently reported in the Apache web server that is used by PureMessage for various web interfaces including the Admin UI and End User Web Interface. All versions of PureMessage for UNIX are affected.
To close this vulnerability, do the following for each of the PureMessage servers in your environment, as the pmx user:
1. Add the following lines to ‘‘‘‘<PREFIX>/etc/manager/httpd2.conf’’’’:
LoadModule headers_module apache/modules/mod_headers.so
SetEnvIf Range (?:,.*?){5,5} bad-range=1
RequestHeader unset Range env=bad-range
RequestHeader unset Request-Range
2. Run the following command:
$ pmx-httpd restart
Your systems will no longer be vulnerable once this configuration change has been made for all PureMessage for UNIX servers in your environment.
This thread was automatically locked due to age.