Apache httpd DoS with compressed request bodies

Airlock is affected by a denial of service vulnerability. A hotfix is provided.

Several denial of service (DoS) vulnerabilities have been fixed in the newest version of Apache httpd [1]. Airlock is affected by the DoS vulnerability CVE-2014-0118 related to the Apache module mod_deflate. All other DoS vulnerabilities do not affect Airlock because the corresponding modules are not used (mod_proxy, mod_status, mod_cgid and WinNT MPM).

The vulnerable Apache module mod_deflate is used to decompress and inspect compressed request bodies. This is done by default and does not depend on the settings in the Configuration Center. By sending a highly compressed request body an attacker may be able to conduct a DoS attack.

Airlock limits the maximum size of a request body by default to 100MB in Airlock 5.0 and 1GB in Airlock 4.2.6(.X) (Mapping -> Allow Rules -> Length Check -> Max request body size). Unfortunately older Apache versions check this setting only against the compressed request body. An attacker may therefore be able to allocate 4GB of memory with a single compressed request which is a decompression limitation of mod_deflate.

The provided hotfixes will update Apache httpd to the newest version 2.2.28 for Airlock 4.2.6(.X) and 2.4.10 for Airlock 5.0. By applying the hotfix Airlock will no longer decompress a request body over the data size limit configured by the setting Max request body size. Further the decompression of the request body will be aborted if the compression ratio exceeds a certain limit indicating a malicious crafted request.