CVE-2008-2364

I’ve been asked a few times about the Apache vulnerability CVE-2008-2364.  Most recently today by a colleague, who asked if it affects the Prefork MPM (answer: the MPM makes no difference).  I’m going to stick my neck out and say (almost) everyone can and should ignore it.

Just for the record, here’s the explanation of what it’s about.  It’s a Denial of Service, and it’s perpetrated not by a client (browser) who could be anyone, but by a backend server that Apache is proxying.

Backend server sends an interim (1xx) response:

HTTP/1.1 100 Continue

Apache eats a few bytes of memory to process it.  The memory is returned to the free pool when the request completes.

Backend repeats the above a million times, now Apache eats a few million bytes to process it.  The memory is not returned to the free pool until the request completes.  This makes for a possible but unlikely DoS attack.

There’s no valid reason for a backend to send more than one interim response to a request.  But it’s not forbidden.  Recent Apache versions fix this by limiting the number of interim responses that will be processed.

Posted on December 3, 2008, in apache, security. Bookmark the permalink. 2 Comments.

  1. It’s not a security issue in a reverse proxy configuration, as you describe.

    It’s a security issue in a forward proxy configuration where clients are
    viewing random untrusted sites through the proxy, and any of those
    untrusted sites can DoS the proxy by sending a stream of 1xx responses.

  2. Joe, yes indeed (though my description is generic, either forward or reverse proxy). But AIUI Apache is far more commonly used as reverse proxy than forward, where it lacks many of the bells-and-whistles provided by squid.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: