Bug 752598 (CVE-2012-1181) - VUL-0: CVE-2012-1181: apache2-mod_fcgid: FcgidMaxProcessesPerClass not honored
Summary: VUL-0: CVE-2012-1181: apache2-mod_fcgid: FcgidMaxProcessesPerClass not honored
Status: RESOLVED FIXED
Alias: CVE-2012-1181
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Roman Drahtmueller
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-16 10:25 UTC by Ludwig Nussel
Modified: 2014-09-02 12:06 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2012-03-16 10:25:40 UTC 
Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

CVE-2012-1181

------------------------------------------------------------------------------
Date: Thu, 15 Mar 2012 14:39:40 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: [oss-security] CVE-request: apache's mod-fcgid does not respect configured FcgidMaxProcessesPerClass
 in VirtualHost

Version 2.3.6 of mod-fcgid (the current published version from ASF 
according to [0]) has a known problem that FcgidMaxProcessesPerClass 
directives are not honored when they appear inside a VirtualHost stanza.

This is presents a risk for a denial of service because it means that a 
remote attacker can violate the intent of the admin and overwhelm the 
server running fcgid.

Could a CVE be assigned for this vulnerability?

If the admin declares that a given virtualhost should be limited to X 
fastcgi processes (often in order to constrain RAM usage by the vhost), 
any remote user can issue X+1 (or 10X, or whatever) concurrent GET 
requests, which defeats the documented limit, and can result in heavy 
swap or the oom-killer, which can cause a DoS on other services on the host.

This bug has been fixed since the release of 2.3.6 in upstream's svn 
(r1037727 of https://svn.apache.org/repos/asf/httpd/mod_fcgid/trunk) 
with a narrowly-targeted one-line patch:

--- modules/fcgid/fcgid_spawn_ctl.c	(revision 1037726)
+++ modules/fcgid/fcgid_spawn_ctl.c	(revision 1037727)
@@ -178,7 +178,7 @@
          if (current_node->inode == command->inode
              && current_node->deviceid == command->deviceid
              && !strcmp(current_node->cmdline, command->cmdline)
-            && current_node->vhost_id == sconf->vhost_id
+            && current_node->vhost_id == command->vhost_id
              && current_node->uid == command->uid
              && current_node->gid == command->gid)
              break;

But this patch hasn't made it to any released version.

Debian has plans to release a Debian Security Advisory for the issue and 
will resolve it with the above patch.

This problem is also documented at:

  https://issues.apache.org/bugzilla/show_bug.cgi?id=49902
  http://bugs.debian.org/615814

Regards,

	--dkg

[0] https://httpd.apache.org/mod_fcgid/
Comment 1 Swamp Workflow Management 2012-03-16 23:00:21 UTC 
bugbot adjusting priority
Comment 2 Marcus Meissner 2012-03-20 07:59:17 UTC 
The vhost_id check is not in sle11 sp1 apache2-mod_fcgid, so it does not classify
it based vhost_id. As it is not checking it, SLES is not affected I think.


Issue only affects openSUSE.
Comment 3 Marcus Meissner 2013-10-09 12:28:49 UTC 
12.2 and 12.3 still affected. 13.1 has 2.3.7 and is fixed
Comment 4 Marcus Meissner 2014-09-02 12:06:35 UTC 
lets not fix it then