Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 15 Mar 2012 18:40:27 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Daniel Kahn Gillmor <dkg@...thhorseman.net>
Subject: Re: CVE-request: apache's mod-fcgid does not respect
 configured FcgidMaxProcessesPerClass in VirtualHost

On 03/15/2012 12:39 PM, Daniel Kahn Gillmor wrote:
> Version 2.3.6 of mod-fcgid (the current published version from ASF
> according to [0]) has a known problem that FcgidMaxProcessesPerClass
> directives are not honored when they appear inside a VirtualHost stanza.
>
> This is presents a risk for a denial of service because it means that
> a remote attacker can violate the intent of the admin and overwhelm
> the server running fcgid.
>
> Could a CVE be assigned for this vulnerability?
>
> If the admin declares that a given virtualhost should be limited to X
> fastcgi processes (often in order to constrain RAM usage by the
> vhost), any remote user can issue X+1 (or 10X, or whatever) concurrent
> GET requests, which defeats the documented limit, and can result in
> heavy swap or the oom-killer, which can cause a DoS on other services
> on the host.
>
> This bug has been fixed since the release of 2.3.6 in upstream's svn
> (r1037727 of https://svn.apache.org/repos/asf/httpd/mod_fcgid/trunk)
> with a narrowly-targeted one-line patch:
>
> --- modules/fcgid/fcgid_spawn_ctl.c    (revision 1037726)
> +++ modules/fcgid/fcgid_spawn_ctl.c    (revision 1037727)
> @@ -178,7 +178,7 @@
>          if (current_node->inode == command->inode
>              && current_node->deviceid == command->deviceid
>              && !strcmp(current_node->cmdline, command->cmdline)
> -            && current_node->vhost_id == sconf->vhost_id
> +            && current_node->vhost_id == command->vhost_id
>              && current_node->uid == command->uid
>              && current_node->gid == command->gid)
>              break;
>
> But this patch hasn't made it to any released version.
>
> Debian has plans to release a Debian Security Advisory for the issue
> and will resolve it with the above patch.
>
> This problem is also documented at:
>
>  https://issues.apache.org/bugzilla/show_bug.cgi?id=49902
>  http://bugs.debian.org/615814
>
> Regards,
>
>     --dkg
>
> [0] https://httpd.apache.org/mod_fcgid/
Please use CVE-2012-1181 for this issue.

-- 

-- Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ