enterprise-support team mailing list archive

Thread
Date

[Bug 1836329] [NEW] Regression running ssllabs.com/ssltest causes 2 apache process to eat up 100% cpu, easy DoS

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Stefan Huehner <1836329@xxxxxxxxxxxxxxxxxx>
Date: Fri, 12 Jul 2019 08:11:37 -0000
Reply-to: Bug 1836329 <1836329@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

With latest apache 2.4.29-1ubuntu4.7 published to 18.04 LTS bionic, when
running ssllabs.com/ssltest against it to verify the configuration it
leaves 2 apache processes using 100% indefinitely.

Downgrading to 2.4.29-1ubuntu4.6 make it not reproducible anymore.

So far i do not know if it is easy/likely to hit this case in normal
https usage or only triggered by that testing site.

But given that this is backported to LTS and allows easy DoS maybe the
4.7 should be backed out?

So likely regression in the update to 4.7 having only single fix:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039

Extra info observed when that ssltest is over but processes are still
there using up cpu:

/server-status shows both processes 25234,25235 here in 'Reading' state:
Srv	PID	Acc	M	CPU 	SS	Req	Conn	Child	Slot	Client	Protocol	VHost	Request
0-0	25234	0/0/0	W 	0.00	0	0	0.0	0.00	0.00 	127.0.0.1	http/1.1	ip-172-30-1-107.eu-west-1.compu	GET /server-status HTTP/1.1
0-0	25234	0/0/0	R 	0.00	641	0	0.0	0.00	0.00 	64.41.200.107	http/1.1		
1-0	25235	0/1/1	_ 	0.00	505	2	0.0	0.00	0.00 	64.41.200.107	http/1.1		
1-0	25235	0/1/1	_ 	0.00	501	0	0.0	0.00	0.00 	64.41.200.107	http/1.1		
1-0	25235	0/1/1	_ 	0.00	500	0	0.0	0.00	0.00 	64.41.200.107	http/1.1		
1-0	25235	0/1/1	_ 	0.00	494	0	0.0	0.00	0.00 	64.41.200.107	http/1.1		
1-0	25235	0/1/1	_ 	0.00	604	0	0.0	0.00	0.00 	64.41.200.106	http/1.1		
1-0	25235	0/1/1	_ 	0.00	604	0	0.0	0.00	0.00 	64.41.200.107	http/1.1		
1-0	25235	0/1/1	_ 	16.93	596	0	0.0	0.00	0.00 	64.41.200.107	http/1.1		
1-0	25235	0/1/1	_ 	0.01	595	1	0.0	0.00	0.00 	64.41.200.106	http/1.1		
1-0	25235	0/0/0	R 	0.00	679	0	0.0	0.00	0.00 	64.41.200.106	http/1.1

netstat on system:
tcp6       1      0 172.30.1.57:443         64.41.200.106:58658     CLOSE_WAIT 
tcp6       1      0 172.30.1.57:443         64.41.200.107:60842     CLOSE_WAIT 

with on other connections to 443 port.

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1836329

Title:
  Regression running ssllabs.com/ssltest causes 2 apache process to eat
  up 100% cpu, easy DoS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1836329/+subscriptions

Follow ups

[Bug 1836329] Re: Regression running ssllabs.com/ssltest causes 2 apache process to eat up 100% cpu, easy DoS
From: Launchpad Bug Tracker, 2019-07-18
[Bug 1836329] Re: Regression running ssllabs.com/ssltest causes 2 apache process to eat up 100% cpu, easy DoS
From: Launchpad Bug Tracker, 2019-07-18
[Bug 1836329] Re: Regression running ssllabs.com/ssltest causes 2 apache process to eat up 100% cpu, easy DoS
From: Andreas Hasenack, 2019-07-15
[Bug 1836329] Re: Regression running ssllabs.com/ssltest causes 2 apache process to eat up 100% cpu, easy DoS
From: Andreas Hasenack, 2019-07-15
[Bug 1836329] Re: Regression running ssllabs.com/ssltest causes 2 apache process to eat up 100% cpu, easy DoS
From: Andreas Hasenack, 2019-07-15