[users@httpd] Qualys Full Standard Community Scan, Requires Login not qualys SSL Labs quick scan, Causes 100% CPU - 2.4.37 & 2.4.38 w/openssl_1.1.1a and 2.4.41 w/openssl-1.1.1c

Tue, 10 Sep 2019 09:57:07 -0700 

Qualys:  Scanner Appliance: 64.39.99.243 (Scanner 11.5.21-1, Vulnerability 
Signatures 2.4.694-2)

Our production apache http 2.4.37 server running with openssl 1.1.1a have been 
getting hit with qualys scans like clockwork and every time our CPU goes to 
100% and after more scans to 200% CPU. After reading the bug reports I upgraded 
to 2.4.38 which made no difference.   I then upgraded to the latest stable 
version httpd 2.4.41 and ran with the latest stable openssl v1.1.1c and get the 
same issue.

I also tried configuring TLS from tlsv 1.2 and tlsv1.3 to only tlsv1.2 and 
still have 100% cpu after 1 qualy community scan
I also tried to deny service with SSLRequire on the IPs 64.39.103, 64.39.99, 
64.39.111 and also RequireAll and trying combinations but nothing stops the 
100% CPU so far.

The qualys scan is repeatable and I'm using standard configurations and builds 
on RedHat Linux, although an older Red Hat Enterprise Linux Server release 5.11 
(Tikanga).
   apr-1.6.5
   expat-2.2.6
   apr-util-1.6.1
   pcre-8.42
   openssl_1.1.1a,   httpd 2.4.37, 2.4.38
   openssl_1.1.1c,   httpd 2.4.41

  ./configure --prefix=/vendor/apache/2.4.41 
--with-pcre=/vendor/apache/pcre-8.42  --with-ssl=/vendor/apache/openssl_1.1.1c 
--with-z=/vendor/apache/zlib-1.2.11 --enable-ssl --enable-shared 
--enable-deflate --enable-mime --enable-dbd --enable-socache-shmcb  --with-apr= 
/vendor/apache/apr-1.6.5  --with-apr-util=/vendor/apache/apr-util-1.6.1

Tried but failed, trying combinations:
<Directory / >
  Options FollowSymLinks
  AllowOverride None
  <RequireAll>
    Require all denied
    Require not ip 64.39.111
    Require not ip 64.39.103
    Require not ip 64.39.99
  </RequireAll>
</Directory>


Thanks & Regards,
Bob

Bob Hathaway
Advanced Architect
Mphasis | Memphis
robert.hatha...@mphasis.com<mailto:robert.hatha...@mphasis.com>
www.mphasis.com<http://www.mphasis.com/>
Mobile: 201-390-7602
Office: 901-263-5805
[Updated Logo]


Information transmitted by this e-mail is proprietary to Mphasis, its 
associated companies and/ or its customers and is intended for use only by the 
individual or entity to which it is addressed, and may contain information that 
is privileged, confidential or exempt from disclosure under applicable law. If 
you are not the intended recipient or it appears that this mail has been 
forwarded to you without proper authority, you are notified that any use or 
dissemination of this information in any manner is strictly prohibited. In such 
cases, please notify us immediately at mailmas...@mphasis.com and delete this 
mail from your records.

Reply via email to