mailing list archives
CVE-request: apache's mod-fcgid does not respect configured FcgidMaxProcessesPerClass in VirtualHost
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Thu, 15 Mar 2012 14:39:40 -0400
Version 2.3.6 of mod-fcgid (the current published version from ASF
according to ) has a known problem that FcgidMaxProcessesPerClass
directives are not honored when they appear inside a VirtualHost stanza.
This is presents a risk for a denial of service because it means that a
remote attacker can violate the intent of the admin and overwhelm the
server running fcgid.
Could a CVE be assigned for this vulnerability?
If the admin declares that a given virtualhost should be limited to X
fastcgi processes (often in order to constrain RAM usage by the vhost),
any remote user can issue X+1 (or 10X, or whatever) concurrent GET
requests, which defeats the documented limit, and can result in heavy
swap or the oom-killer, which can cause a DoS on other services on the host.
This bug has been fixed since the release of 2.3.6 in upstream's svn
(r1037727 of https://svn.apache.org/repos/asf/httpd/mod_fcgid/trunk)
with a narrowly-targeted one-line patch:
--- modules/fcgid/fcgid_spawn_ctl.c (revision 1037726)
+++ modules/fcgid/fcgid_spawn_ctl.c (revision 1037727)
@@ -178,7 +178,7 @@
if (current_node->inode == command->inode
&& current_node->deviceid == command->deviceid
&& !strcmp(current_node->cmdline, command->cmdline)
- && current_node->vhost_id == sconf->vhost_id
+ && current_node->vhost_id == command->vhost_id
&& current_node->uid == command->uid
&& current_node->gid == command->gid)
But this patch hasn't made it to any released version.
Debian has plans to release a Debian Security Advisory for the issue and
will resolve it with the above patch.
This problem is also documented at:
- CVE-request: apache's mod-fcgid does not respect configured FcgidMaxProcessesPerClass in VirtualHost Daniel Kahn Gillmor (Mar 15)