Bug 245117 - CVE-2007-3303 httpd worker DoS
Summary: CVE-2007-3303 httpd worker DoS
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2007-06-21 08:56 UTC by Mark J. Cox
Modified: 2007-06-26 12:57 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-06-26 12:57:33 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Mark J. Cox 2007-06-21 08:56:11 UTC
"Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows local users
to cause a denial of service via certain code sequences executed in a worker
process that (1) stop request processing by killing all worker processes and
preventing creation of replacements or (2) hang the system by forcing the master
process to fork an arbitrarily large number of worker processes. NOTE: This
might be an inherent design limitation of Apache with respect to worker
processes in hosted environments."

Comment 1 Joe Orton 2007-06-26 12:56:05 UTC
In the security model used by Apache httpd, the less-privileged child processes
(running as the "apache" user) completely handle the servicing of new
connections. Any local user who is able to run arbitrary code in those children
is therefore able to prevent new requests from being serviced, by design.  Such
users will also be able to "simulate" server load and force the parent to create
children up to the configured limits, by design.

A server with untrusted local users must be configured to use a solution like
"suexec" if it's required to allow the users to execute CGI (etc) scripts.

Note You need to log in before you can comment on or make changes to this bug.