Apache HTTPD mod_proxy_ajp DoS

September 30, 2011

The Apache HTTP server is the most popular web server used on the Internet. The server comes bundled with optional plug-in modules which are loaded at run-time to extend its functionality. Two technologies supported by the Apache HTTP server are the Apache JServ Protocol (AJP) and httpd based load balancing.

AJP is a binary protocol which routes requests from a web server to application servers. This is done by using a routing scheme where each application server is given a name, known as its 'route'. This setup is usually used in high demand environments where clusters of servers are implemented. It is implemented through the module mod_proxy_ajp. Although load balancing can be performed with this protocol, the module mod_cluster can be used in addition to mod_proxy_ajp to provide additional load balancing capabilities. While mod_proxy_ajp creates channels between the web servers and the application servers, mod_cluster creates channels between the application servers and the web server to provide more detailed information about the server state. This allows the proxy to dynamically configure httpd workers based on the application server environment.

Typically, an HTTP request is receieved by the web server which is then forwarded to the appropriate backend server based on the load balancer's information. HTTP requests include a request line and various headers. The Request-Line begins with a method token, followed by the Request-URI, the protocol version, and CRLF. An example of an HTTP request line follows:

 GET /test.html HTTP/1.1 Host: www.test.com 

A denial of service vulnerability exists in the mod_proxy_ajp module. The vulnerability is due to insufficient validation of HTTP requests. The vulnerable code does not properly handle some HTTP methods. When a malicious request is processed by the code, it returns an HTTP_INTERNAL_SERVER_ERROR which puts the proxy workers into an error state. At this point, the workers are unable to accept any connections, resulting in a denial of service condition. An unauthenticated, remote attacker can exploit this vulnerability by sending an HTTP request with an invalid method. Exploitation of this flaw results in a temporary denial of service condition.

SonicWALL has released two IPS signatures to address this issue. The following signature have been released:

  • 2063 - Apache mod_proxy_ajp DoS 2
  • 2065 - Apache mod_proxy_ajp DoS 2

This vulnerability has been assigned the id CVE-2011-3348 by mitre.
The vendor has released an advisory addressing this flaw.