Bug 803918 - (CVE-2012-1181) CVE-2012-1181 mod_fcgid 2.3.6 does not respect configured FcgidMaxProcessesPerClass in VirtualHost
CVE-2012-1181 mod_fcgid 2.3.6 does not respect configured FcgidMaxProcessesPe...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 803919 803921
  Show dependency treegraph
Reported: 2012-03-15 20:47 EDT by Kurt Seifried
Modified: 2012-03-16 06:13 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-03-16 06:13:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2012-03-15 20:47:42 EDT
Daniel Kahn Gillmor dkg@fifthhorseman.net reports:

Version 2.3.6 of mod-fcgid (the current published version from ASF according to [0]) has a known problem that FcgidMaxProcessesPerClass directives are not honored when they appear inside a VirtualHost stanza.

This is presents a risk for a denial of service because it means that a remote attacker can violate the intent of the admin and overwhelm the server running fcgid.

Could a CVE be assigned for this vulnerability?

If the admin declares that a given virtualhost should be limited to X fastcgi processes (often in order to constrain RAM usage by the vhost), any remote user can issue X+1 (or 10X, or whatever) concurrent GET requests, which defeats the documented limit, and can result in heavy swap or the oom-killer, which can cause a DoS on other services on the host.

This bug has been fixed since the release of 2.3.6 in upstream's svn (r1037727 of https://svn.apache.org/repos/asf/httpd/mod_fcgid/trunk) with a narrowly-targeted one-line patch:

--- modules/fcgid/fcgid_spawn_ctl.c    (revision 1037726)
+++ modules/fcgid/fcgid_spawn_ctl.c    (revision 1037727)
@@ -178,7 +178,7 @@
         if (current_node->inode == command->inode
             && current_node->deviceid == command->deviceid
             && !strcmp(current_node->cmdline, command->cmdline)
-            && current_node->vhost_id == sconf->vhost_id
+            && current_node->vhost_id == command->vhost_id
             && current_node->uid == command->uid
             && current_node->gid == command->gid)

But this patch hasn't made it to any released version.

Debian has plans to release a Debian Security Advisory for the issue and will resolve it with the above patch.

This problem is also documented at:




[0] https://httpd.apache.org/mod_fcgid/
Comment 1 Kurt Seifried 2012-03-15 20:54:17 EDT
Created mod_fcgid tracking bugs for this issue

Affects: fedora-all [bug 803919]
Comment 2 Kurt Seifried 2012-03-15 20:59:09 EDT
Created mod_fcgid tracking bugs for this issue

Affects: epel-all [bug 803921]
Comment 3 Paul Howarth 2012-03-16 05:06:21 EDT
This issue was previously reported and fixed in Fedora and EPEL: Bug #783742
Comment 4 Tomas Hoger 2012-03-16 05:53:38 EDT
(In reply to comment #3)
> This issue was previously reported and fixed in Fedora and EPEL: Bug #783742

If they are fixed, it's ok to close:dupe bug 803919 and 803921 against that bug. There's no mention of EPEL-5 fix in bug 783742.  Does that remain affected?
Comment 5 Paul Howarth 2012-03-16 05:59:02 EDT
EPEL-5 has mod_fcgid version 2.2. My understanding is that this bug is a regression introduced in 2.3.6 and so EPEL-5 should not be affected.
Comment 6 Paul Howarth 2012-03-16 06:04:24 EDT
If you look at the upstream bug report (https://issues.apache.org/bugzilla/show_bug.cgi?id=49902) you'll see that the original reporter noted that 2.2 did not suffer from this problem, so I can safely say that EPEL-5 is not affected.
Comment 7 Tomas Hoger 2012-03-16 06:13:14 EDT
Ok, thank you!

Note You need to log in before you can comment on or make changes to this bug.