I’ve been asked a few times about the Apache vulnerability CVE-2008-2364. Most recently today by a colleague, who asked if it affects the Prefork MPM (answer: the MPM makes no difference). I’m going to stick my neck out and say (almost) everyone can and should ignore it.
Just for the record, here’s the explanation of what it’s about. It’s a Denial of Service, and it’s perpetrated not by a client (browser) who could be anyone, but by a backend server that Apache is proxying.
Backend server sends an interim (1xx) response:
HTTP/1.1 100 Continue
Apache eats a few bytes of memory to process it. The memory is returned to the free pool when the request completes.
Backend repeats the above a million times, now Apache eats a few million bytes to process it. The memory is not returned to the free pool until the request completes. This makes for a possible but unlikely DoS attack.
There’s no valid reason for a backend to send more than one interim response to a request. But it’s not forbidden. Recent Apache versions fix this by limiting the number of interim responses that will be processed.