Qualys Full Standard Community Scan, Requires Login not qualys SSL Labs quick scan, Causes 100% CPU - 2.4.37 & 2.4.38 w/openssl_1.1.1a and 2.4.41 w/openssl-1.1.1c (Apache Users)

Qualys Full Standard Community Scan, Requires Login not qualys SSL Labs quick scan, Causes 100% CPU - 2.4.37 & 2.4.38 w/openssl_1.1.1a and 2.4.41 w/openssl-1.1.1c

Date Prev

Date Next

Thread Prev

Thread Next

Date Index

Thread Index

To: "users@xxxxxxxxxxxxxxxx" <users@xxxxxxxxxxxxxxxx>

Subject: Qualys Full Standard Community Scan, Requires Login not qualys SSL Labs quick scan, Causes 100% CPU - 2.4.37 & 2.4.38 w/openssl_1.1.1a and 2.4.41 w/openssl-1.1.1c

From: Robert Hathaway <robert.hathaway@xxxxxxxxxxx>

Date: Tue, 10 Sep 2019 16:56:26 +0000

Accept-language: en-US

Dlp-product: dlpe-windows

Dlp-reaction: no-action

Dlp-version: 11.1.100.23

Reply-to: users@xxxxxxxxxxxxxxxx

Thread-index: AdVn+Ky2pGr+jNKJQpu6uivOHvx0DQ==

Thread-topic: Qualys Full Standard Community Scan, Requires Login not qualys SSL Labs quick scan, Causes 100% CPU - 2.4.37 & 2.4.38 w/openssl_1.1.1a and 2.4.41 w/openssl-1.1.1c

Qualys: Scanner Appliance: 64.39.99.243 (Scanner 11.5.21-1, Vulnerability Signatures 2.4.694-2)

Our production apache http 2.4.37 server running with openssl 1.1.1a have been getting hit with qualys scans like clockwork and every time our CPU goes to 100% and after more scans to 200% CPU. After reading the bug reports I upgraded to 2.4.38 which made no difference. I then upgraded to the latest stable version httpd 2.4.41 and ran with the latest stable openssl v1.1.1c and get the same issue.

I also tried configuring TLS from tlsv 1.2 and tlsv1.3 to only tlsv1.2 and still have 100% cpu after 1 qualy community scan

I also tried to deny service with SSLRequire on the IPs 64.39.103, 64.39.99, 64.39.111 and also RequireAll and trying combinations but nothing stops the 100% CPU so far.

The qualys scan is repeatable and I’m using standard configurations and builds on RedHat Linux, although an older Red Hat Enterprise Linux Server release 5.11 (Tikanga).

apr-1.6.5

expat-2.2.6

apr-util-1.6.1

pcre-8.42

openssl_1.1.1a, httpd 2.4.37, 2.4.38

openssl_1.1.1c, httpd 2.4.41

./configure --prefix=/vendor/apache/2.4.41 --with-pcre=/vendor/apache/pcre-8.42 --with-ssl=/vendor/apache/openssl_1.1.1c --with-z=/vendor/apache/zlib-1.2.11 --enable-ssl --enable-shared --enable-deflate --enable-mime --enable-dbd --enable-socache-shmcb --with-apr= /vendor/apache/apr-1.6.5 --with-apr-util=/vendor/apache/apr-util-1.6.1

Tried but failed, trying combinations:

Options FollowSymLinks

AllowOverride None

Require all denied

Require not ip 64.39.111

Require not ip 64.39.103

Require not ip 64.39.99

</RequireAll>

</Directory>

Thanks & Regards,

Bob

Bob Hathaway

Advanced Architect

Mphasis | Memphis

robert.hathaway@xxxxxxxxxxx

www.mphasis.com

Mobile: 201-390-7602

Office: 901-263-5805

Updated Logo

Information transmitted by this e-mail is proprietary to Mphasis, its associated companies and/ or its customers and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at mailmaster@xxxxxxxxxxx and delete this mail from your records.