Bug 509125 (CVE-2009-1891)
| Summary: | CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | jorton, kreilly, ldimaggi, vdanen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-08-22 15:22:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 505026, 505027, 509781, 509782, 509783, 515705, 534039, 534040 | ||
| Bug Blocks: | |||
|
Description
Tomas Hoger
2009-07-01 13:30:48 UTC
This issue affects all httpd versions shipped in currently supported Red Hat products - Red Hat Enterprise Linux 3, 4 and 5, Red Hat Application Stack v1 and v2, and JBoss Enterprise Web Server. This issue has been rated as having low security impact due to multiple reasons: - Attacker can trigger similar high CPU use even without breaking connection early, though he needs to deal with the data sent by the server. This flaw makes this resource consumption attack easier for an attacker though. - mod_deflate / output compression filter is not enabled in the default configuration. - Compression is typically enabled for file types that can benefit from it (e.g. text or html pages, but not for already compressed image files), files of those types served by the server are not always large enough to make this attack efficient (i.e. adding much benefit over plain DoS using as many connections as possible). This flaw can only be used in an attack efficiently, if the server already hosts large-enough file that has deflate compression enabled. - This is temporary DoS issue, it does not crash httpd, but causes it to use CPU while attacker is able to send new requests. Future updates of httpd packages may address this flaw. Proposed patches: http://marc.info/?l=apache-httpd-dev&m=124661528519546&w=2 Upstream patch: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/core_filters.c?r1=421103&r2=791454&pathrev=791454&view=patch Identical to the noted proposed patches, but applied upstream. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1148 https://rhn.redhat.com/errata/RHSA-2009-1148.html This issue has been addressed in following products: JBEWS 1.0.0 for RHEL 5 Via RHSA-2009:1155 https://rhn.redhat.com/errata/RHSA-2009-1155.html This issue has been addressed in following products: Red Hat Web Application Stack for RHEL 5 Via RHSA-2009:1156 https://rhn.redhat.com/errata/RHSA-2009-1156.html This issue has been addressed in following products: JBEWS 1.0.0 for RHEL 4 Via RHSA-2009:1160 https://rhn.redhat.com/errata/RHSA-2009-1160.html This issue has been addressed in following products: Red Hat Enterprise Linux 3 Via RHSA-2009:1205 https://rhn.redhat.com/errata/RHSA-2009-1205.html httpd-2.2.13-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2009:1580 https://rhn.redhat.com/errata/RHSA-2009-1580.html This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html |