oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-request: apache's mod-fcgid does not respect configured FcgidMaxProcessesPerClass in VirtualHost

From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 15 Mar 2012 18:40:27 -0600
On 03/15/2012 12:39 PM, Daniel Kahn Gillmor wrote:

Version 2.3.6 of mod-fcgid (the current published version from ASF
according to [0]) has a known problem that FcgidMaxProcessesPerClass
directives are not honored when they appear inside a VirtualHost stanza.

This is presents a risk for a denial of service because it means that
a remote attacker can violate the intent of the admin and overwhelm
the server running fcgid.

Could a CVE be assigned for this vulnerability?

If the admin declares that a given virtualhost should be limited to X
fastcgi processes (often in order to constrain RAM usage by the
vhost), any remote user can issue X+1 (or 10X, or whatever) concurrent
GET requests, which defeats the documented limit, and can result in
heavy swap or the oom-killer, which can cause a DoS on other services
on the host.

This bug has been fixed since the release of 2.3.6 in upstream's svn
(r1037727 of https://svn.apache.org/repos/asf/httpd/mod_fcgid/trunk)
with a narrowly-targeted one-line patch:

--- modules/fcgid/fcgid_spawn_ctl.c    (revision 1037726)
+++ modules/fcgid/fcgid_spawn_ctl.c    (revision 1037727)
@@ -178,7 +178,7 @@
         if (current_node->inode == command->inode
             && current_node->deviceid == command->deviceid
             && !strcmp(current_node->cmdline, command->cmdline)
-            && current_node->vhost_id == sconf->vhost_id
+            && current_node->vhost_id == command->vhost_id
             && current_node->uid == command->uid
             && current_node->gid == command->gid)
             break;

But this patch hasn't made it to any released version.

Debian has plans to release a Debian Security Advisory for the issue
and will resolve it with the above patch.

This problem is also documented at:

 https://issues.apache.org/bugzilla/show_bug.cgi?id=49902
 http://bugs.debian.org/615814

Regards,

    --dkg

[0] https://httpd.apache.org/mod_fcgid/

Please use CVE-2012-1181 for this issue.

-- 

-- Kurt Seifried / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: