Bugzilla – Bug 887769
VUL-0: CVE-2014-0118: apache2: mod_deflate denial of service
Last modified: 2018-03-03 18:08:07 UTC
CVE-2014-0118 A resource consumption flaw was found in mod_deflate. If request body decompression was configured (using the "DEFLATE" input filter), a remote attacker could cause the server to consume significant memory and/or CPU resources. The use of request body decompression is not a common configuration. References: https://bugzilla.redhat.com/show_bug.cgi?id=1120601 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0118
bugbot adjusting priority
input request filtering with DEFLATE (gzip) is highly unusual (as stated above), it is not the default and requires the directive SetInputFilter DEFLATE to be set by the server administrator. When doing so, it should be clear that CPU resource consumption due to mod_deflate CPU bound load is not under any control of the server administrator any more, as the input to the server is sent by the client. This makes it a non-issue for security. Upstream has a solution in which mod_deflate evaluates the inflate ratio to be able to abort based on a limit set with new configuration directives. For as long as the measurement is not accounted for during the phase of a request when the first request body data is received, a spray of DEFLATE-encoded smaller requests can still trigger the CPU bound DoS. The corresponding patch by Eric Covener is only half as intrusive as it may look, but since the security implication can be disputed, I suggest to set this bug to WONTFIX. http://svn.us.apache.org/viewvc?view=revision&revision=1610501 Thank you, Roman.