Summary: ======== Subversion's mod_dav_svn Apache HTTPD server module may use excessive amounts of memory when processing REPORT requests that require traversing through a large number of FSFS repository nodes (files and directories). This can lead to a DoS. There are no known instances of this problem being observed in the wild, but an exploit has been tested. Details: ======== Subversion FSFS repositories cache different types of data for performance reasons. An FSFS repository filesystem is structured as a direct acyclic graph (DAG), and it has a special cache for the DAG nodes. Subversion 1.8.0 added an additional level of caching for the DAG nodes, and the excessive memory use is a consequence of the cached nodes not being deallocated in a timely manner. HTTPD Server and Subversion use memory pools for allocations. Certain REPORT requests can trigger a state when the cache keeps allocating new elements from a pool, but the previously allocated elements are not being deallocated. This memory will be reclaimed eventually (once the request finishes or when the cache leaves the inappropriate state), but multiple parallel requests might ultimately exhaust all the available memory on the server. Severity: ========= CVSSv2 Base Score: 5.0 CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P We consider this to be a medium risk vulnerability. Repositories which allow for anonymous reads will be vulnerable without authentication. Unfortunately, no special configuration is required and all mod_dav_svn servers with FSFS repositories are vulnerable. Apache HTTPD servers that block potentially expensive requests via mod_dontdothat module have a smaller attack surface, but are still vulnerable. Actual memory consumption (per request) depends on the layout and size of the particular repository, but is potentially unbounded. The impact of using this memory varies wildly based on operating system and httpd configuration. Some operating systems may kill off processes or crash if too much memory is used. The Apache HTTPD configuration option of MaxRequestsPerChild may restart a process after a certain number of requests and limit the impact of accidental exercise of this issue. However, a determined attacker could repeat the requests and mitigate any countermeasures. Recommendations: ================ There is no effective configuration that can mitigate the issue entirely however the use of ulimit (or the equivalent) to set memory limits for processes may help prevent the impact affecting other services running on the same machine. Statement: Not vulnerable. This issue did not affect the versions of subversion as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not include support for additional level of caching for the DAG nodes, which cause excessive memory use due to the cached nodes not being deallocated in a timely manner. Acknowledgements: Red Hat would like to thank the Apache Software Foundation for reporting this issue. Upstream acknowledges Evgeny Kotkov of VisualSVN as the original reporter.
Created attachment 1005806 [details] Patch against 1.8.11
External References: https://subversion.apache.org/security/CVE-2015-0202-advisory.txt
Created subversion tracking bugs for this issue: Affects: fedora-all [bug 1207723]