Bug 509125 - (CVE-2009-1891) CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate
CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,source=debian,reported=200...
: Security
Depends On: 505026 505027 509781 509782 509783 515705 534039 534040
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-01 09:30 EDT by Tomas Hoger
Modified: 2015-08-22 11:22 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-22 11:22:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2009-07-01 09:30:48 EDT
François Guerraz reported in Debian BTS a possible DoS (CPU consumption) a DoS with mod_deflate since it does not stop to compress large files even after the network connection has been closed.  This allows to use large amounts of CPU if there is a largish file available that has mod_deflate enabled.

Original report:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534712

Post to the apache-httpd-dev mailing list:
  http://marc.info/?l=apache-httpd-dev&m=124621326524824&w=2
Comment 1 Tomas Hoger 2009-07-01 09:46:35 EDT
This issue affects all httpd versions shipped in currently supported Red Hat products - Red Hat Enterprise Linux 3, 4 and 5, Red Hat Application Stack v1 and v2, and JBoss Enterprise Web Server.

This issue has been rated as having low security impact due to multiple reasons:

- Attacker can trigger similar high CPU use even without breaking connection early, though he needs to deal with the data sent by the server.  This flaw makes this resource consumption attack easier for an attacker though.

- mod_deflate / output compression filter is not enabled in the default configuration.

- Compression is typically enabled for file types that can benefit from it (e.g. text or html pages, but not for already compressed image files), files of those types served by the server are not always large enough to make this attack efficient (i.e. adding much benefit over plain DoS using as many connections as possible).  This flaw can only be used in an attack efficiently, if the server already hosts large-enough file that has deflate compression enabled.

- This is temporary DoS issue, it does not crash httpd, but causes it to use CPU while attacker is able to send new requests.

Future updates of httpd packages may address this flaw.
Comment 4 Tomas Hoger 2009-07-03 08:40:03 EDT
Proposed patches:
  http://marc.info/?l=apache-httpd-dev&m=124661528519546&w=2
Comment 6 Vincent Danen 2009-07-06 14:36:06 EDT
Upstream patch:
  http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/core_filters.c?r1=421103&r2=791454&pathrev=791454&view=patch

Identical to the noted proposed patches, but applied upstream.
Comment 9 errata-xmlrpc 2009-07-09 12:10:22 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1148 https://rhn.redhat.com/errata/RHSA-2009-1148.html
Comment 10 errata-xmlrpc 2009-07-14 15:07:09 EDT
This issue has been addressed in following products:

  JBEWS 1.0.0 for RHEL 5

Via RHSA-2009:1155 https://rhn.redhat.com/errata/RHSA-2009-1155.html
Comment 11 errata-xmlrpc 2009-07-14 15:08:03 EDT
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:1156 https://rhn.redhat.com/errata/RHSA-2009-1156.html
Comment 12 errata-xmlrpc 2009-07-17 09:13:48 EDT
This issue has been addressed in following products:

  JBEWS 1.0.0 for RHEL 4

Via RHSA-2009:1160 https://rhn.redhat.com/errata/RHSA-2009-1160.html
Comment 13 errata-xmlrpc 2009-08-10 13:40:27 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1205 https://rhn.redhat.com/errata/RHSA-2009-1205.html
Comment 14 Fedora Update System 2009-08-31 19:39:08 EDT
httpd-2.2.13-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 errata-xmlrpc 2009-11-11 17:09:45 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1580 https://rhn.redhat.com/errata/RHSA-2009-1580.html
Comment 16 errata-xmlrpc 2010-08-04 17:31:48 EDT
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html

Note You need to log in before you can comment on or make changes to this bug.