Bug 509125 (CVE-2009-1891) - CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate
Summary: CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-1891
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 505026 505027 509781 509782 509783 515705 534039 534040
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-01 13:30 UTC by Tomas Hoger
Modified: 2019-09-29 12:30 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 15:22:08 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1148 0 normal SHIPPED_LIVE Important: httpd security update 2009-07-09 16:10:16 UTC
Red Hat Product Errata RHSA-2009:1155 0 normal SHIPPED_LIVE Important: httpd security update 2009-07-14 19:07:00 UTC
Red Hat Product Errata RHSA-2009:1156 0 normal SHIPPED_LIVE Important: httpd security update 2009-07-14 19:07:55 UTC
Red Hat Product Errata RHSA-2009:1160 0 normal SHIPPED_LIVE Important: httpd22 security update 2009-07-17 13:13:34 UTC
Red Hat Product Errata RHSA-2009:1205 0 normal SHIPPED_LIVE Moderate: httpd security and bug fix update 2009-08-10 17:40:21 UTC
Red Hat Product Errata RHSA-2009:1580 0 normal SHIPPED_LIVE Moderate: httpd security update 2009-11-11 22:05:07 UTC
Red Hat Product Errata RHSA-2010:0602 0 normal SHIPPED_LIVE Moderate: Red Hat Certificate System 7.3 security update 2010-08-05 14:04:51 UTC

Description Tomas Hoger 2009-07-01 13:30:48 UTC
François Guerraz reported in Debian BTS a possible DoS (CPU consumption) a DoS with mod_deflate since it does not stop to compress large files even after the network connection has been closed.  This allows to use large amounts of CPU if there is a largish file available that has mod_deflate enabled.

Original report:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534712

Post to the apache-httpd-dev mailing list:
  http://marc.info/?l=apache-httpd-dev&m=124621326524824&w=2

Comment 1 Tomas Hoger 2009-07-01 13:46:35 UTC
This issue affects all httpd versions shipped in currently supported Red Hat products - Red Hat Enterprise Linux 3, 4 and 5, Red Hat Application Stack v1 and v2, and JBoss Enterprise Web Server.

This issue has been rated as having low security impact due to multiple reasons:

- Attacker can trigger similar high CPU use even without breaking connection early, though he needs to deal with the data sent by the server.  This flaw makes this resource consumption attack easier for an attacker though.

- mod_deflate / output compression filter is not enabled in the default configuration.

- Compression is typically enabled for file types that can benefit from it (e.g. text or html pages, but not for already compressed image files), files of those types served by the server are not always large enough to make this attack efficient (i.e. adding much benefit over plain DoS using as many connections as possible).  This flaw can only be used in an attack efficiently, if the server already hosts large-enough file that has deflate compression enabled.

- This is temporary DoS issue, it does not crash httpd, but causes it to use CPU while attacker is able to send new requests.

Future updates of httpd packages may address this flaw.

Comment 4 Tomas Hoger 2009-07-03 12:40:03 UTC
Proposed patches:
  http://marc.info/?l=apache-httpd-dev&m=124661528519546&w=2

Comment 6 Vincent Danen 2009-07-06 18:36:06 UTC
Upstream patch:
  http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/core_filters.c?r1=421103&r2=791454&pathrev=791454&view=patch

Identical to the noted proposed patches, but applied upstream.

Comment 9 errata-xmlrpc 2009-07-09 16:10:22 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1148 https://rhn.redhat.com/errata/RHSA-2009-1148.html

Comment 10 errata-xmlrpc 2009-07-14 19:07:09 UTC
This issue has been addressed in following products:

  JBEWS 1.0.0 for RHEL 5

Via RHSA-2009:1155 https://rhn.redhat.com/errata/RHSA-2009-1155.html

Comment 11 errata-xmlrpc 2009-07-14 19:08:03 UTC
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:1156 https://rhn.redhat.com/errata/RHSA-2009-1156.html

Comment 12 errata-xmlrpc 2009-07-17 13:13:48 UTC
This issue has been addressed in following products:

  JBEWS 1.0.0 for RHEL 4

Via RHSA-2009:1160 https://rhn.redhat.com/errata/RHSA-2009-1160.html

Comment 13 errata-xmlrpc 2009-08-10 17:40:27 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1205 https://rhn.redhat.com/errata/RHSA-2009-1205.html

Comment 14 Fedora Update System 2009-08-31 23:39:08 UTC
httpd-2.2.13-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 errata-xmlrpc 2009-11-11 22:09:45 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1580 https://rhn.redhat.com/errata/RHSA-2009-1580.html

Comment 16 errata-xmlrpc 2010-08-04 21:31:48 UTC
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html


Note You need to log in before you can comment on or make changes to this bug.