Bug 887769 - (CVE-2014-0118) VUL-0: CVE-2014-0118: apache2: mod_deflate denial of service
VUL-0: CVE-2014-0118: apache2: mod_deflate denial of service
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Roman Drahtmueller
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2014-07-17 13:46 UTC by Victor Pereira
Modified: 2018-03-03 18:08 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-07-17 13:46:04 UTC

A resource consumption flaw was found in mod_deflate. If request body decompression was configured (using the "DEFLATE" input filter), a remote attacker could cause the server to consume significant memory and/or CPU resources. The use of request body decompression is not a common configuration.

Comment 1 Swamp Workflow Management 2014-07-17 22:02:45 UTC
bugbot adjusting priority
Comment 2 Roman Drahtmueller 2014-07-18 18:56:32 UTC
input request filtering with DEFLATE (gzip) is highly unusual
(as stated above), it is not the default and requires the directive

  SetInputFilter DEFLATE

to be set by the server administrator.
When doing so, it should be clear that CPU resource consumption due 
to mod_deflate CPU bound load is not under any control of the
server administrator any more, as the input to the server is sent
by the client. This makes it a non-issue for security.

Upstream has a solution in which mod_deflate evaluates the inflate 
ratio to be able to abort based on a limit set with new configuration
directives. For as long as the measurement is not accounted for during
the phase of a request when the first request body data is received,
a spray of DEFLATE-encoded smaller requests can still trigger the CPU
bound DoS.
The corresponding patch by Eric Covener is only half as intrusive as it
may look, but since the security implication can be disputed, I
suggest to set this bug to WONTFIX.


Thank you,