VMware

vFabric Web Server 5.0 Release Notes

vFabric Web Server 5.0.0 | 14 SEP 2011
vFabric Web Server 5.0.1 | 22 SEP 2011
vFabric Web Server 5.0.2 | 05 MAR 2012

Last Document Update: 05 MAR 2012

What's in the Release Notes

The release notes cover the following topics:

What's New in vFabric Web Server 5.0.2

vFabric Web Server 5.0.2 updates the version of the following components:

  • Apache HTTP Server: 2.2.22
  • OpenSSL: 0.9.8t
  • mod_jk: 1.2.32

As a result of the updated Apache HTTP Server, a number of low to moderate security vulnerabitlies are also fixed; see Fixed in Apache httpd 2.2.22 for details.

These changes are in addition to those in Web Server 5.0.0.

What's New in vFabric Web Server 5.0.1

vFabric Web Server 5.0.1 fixes a security vulnerability in the product and updates the version of Apache HTTP Server on which vFabric Web Server is based to version 2.2.21.

These changes are in addition to those in Web Server 5.0.0.

What's New in vFabric Web Server 5.0.0

vFabric Web Server 5.0.0 is very similar to vFabric Enterprise Ready Server (ERS) 4.0.3, but with the following changes:

  • vFabric Web Server 5.0.0 is based on Apache HTTP Server version 2.2.19.
  • The list of supported platforms has been constrained so as to better align with vFabric Platform. See Supported Platforms for details.
  • The list of included modules is smaller, so as to better align with vFabric Platform users. In particular, vFabric Web Server does not include the PHP and Perl modules. See Complete Packages and Modules in vFabric Web Server for details.
  • vFabric Web Server is not available standalone, which means that it is available only as part of vFabric Platform.

Known Issues

The following problems have been identified in this release of vFabric Web Server. Where possible, a workaround is also provided.

The table indicates the version in which the problem was found and, where applicable, the version in which it was fixed. If the Fixed In column is blank, it means the problem still exists in the latest version of vFabric Web Server.

Issue Number Description Found In Fixed In
CVE-2011-3192

vFabric Web Server 5.0.0 Range header DoS vulnerability. vFabric Web Server 5.0.0 is vulnerable to the Range header DoS vulnerability as described in CVE-2011-3192.  Full details on this issue can be found at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192. VMware encourages users to avoid processing Range: requests on outward facing servers by limiting this feature in their httpd.conf configuration file.

   # Drop Range headers of more than 5 ranges
   SetEnvIf Range (?:,.*?){5,5} bad-range=1
   RequestHeader unset Range env=bad-range

   # Drop Request-Range, as this is a legacy
   # dating back to MSIE3 and Netscape 2 and 3.
   RequestHeader unset Request-Range

   # Optional logging of rejected ranges.
   CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Alternately, support for ranges can be dropped entirely with the following two directives in the httpd.conf file:

   RequestHeader unset Range 
   RequestHeader unset Request-Range

The vFabric Web Server 5.0.1 update is expected on 9/23 and all customers are encouraged to migrate to this release.  Customers can request a preview of this release by contacting their support representative.

5.0.0 5.0.1
VWS-17 Windows operating systems do not include a tool to create a symbolic link, which is required by the vFabric Web Server installation.

Workaround: Create the symbolic link yourself. See Windows: Install vFabric Web Server from a ZIP File for details.
5.0.0