[Bug 63742] New: Qualys Full Standard Community Scan, Requires Login not qualys SSL Labs quick scan, Causes 100% CPU - 2.4.37 & 2.4.38 w/openssl_1.1.1a and 2.4.41 w/openssl-1.1.1c

Mon, 09 Sep 2019 14:20:13 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=63742

            Bug ID: 63742
           Summary: Qualys Full Standard Community Scan, Requires Login
                    not qualys SSL Labs quick scan, Causes 100% CPU -
                    2.4.37 & 2.4.38 w/openssl_1.1.1a and 2.4.41
                    w/openssl-1.1.1c
           Product: Apache httpd-2
           Version: 2.4.37
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P2
         Component: All
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Qualys:  Scanner Appliance: 64.39.99.243 (Scanner 11.5.21-1, Vulnerability
Signatures 2.4.694-2) 

Our production apache http 2.4.37 server running with openssl 1.1.1a have been
getting hit with qualys scans like clockwork and every time our CPU goes to
100% and after more scans to 200% CPU. After reading the bug reports I upgraded
to 2.4.38 which made no difference.   I then upgraded to the latest stable
version httpd 2.4.41 and ran with the latest stable openssl v1.1.1c and get the
same issue.

I also tried configuring TLS from tlsv 1.2 and tlsv1.3 to only tlsv1.2 and
still have 100% cpu after 1 qualy community scan
I also tried to deny service with SSLRequire on the IPs 64.39.103, 64.39.99,
64.39.111 and also RequireAll and trying combinations but nothing stops the
100% CPU so far.

The qualys scan is repeatable and I’m using standard configurations and builds
on RedHat Linux, although an older Red Hat Enterprise Linux Server release 5.11
(Tikanga).
   apr-1.6.5
   expat-2.2.6
   apr-util-1.6.1
   pcre-8.42
   openssl_1.1.1a,   httpd 2.4.37, 2.4.38
   openssl_1.1.1c,   httpd 2.4.41

  ./configure --prefix=/opt/fedex/fxnet/vendor/apache/2.4.41
--with-pcre=/vendor/apache/pcre-8.42  --with-ssl=//vendor/apache/openssl_1.1.1c
--with-z=/vendor/apache/zlib-1.2.11 --enable-ssl --enable-shared
--enable-deflate --enable-mime --enable-dbd --enable-socache-shmcb  --with-apr=
/vendor/apache/apr-1.6.5  --with-apr-util=/vendor/apache/apr-util-1.6.1

Tried but failed, trying combinations:
<Directory / >
  Options FollowSymLinks
  AllowOverride None
  <RequireAll>
    Require all denied
    Require not ip 64.39.111
    Require not ip 64.39.103
    Require not ip 64.39.99
  </RequireAll>
</Directory>

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to