Slow HTTP POST vulnerability on CA Access Gateway
Article ID: 107034
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
How to mitigate "Slow HTTP POST" vulnerability on CA Access Gateway?
External reference vulnerability details is:
CVE-2007-6750
https://www.cvedetails.com/cve/CVE-2007-6750/
Environment
OS: ALL platform
SPS: 12.7sp2
SPS: 12.7sp2
Resolution
The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before 2.2.15.
CA Access Gateway: 12.7.02, which has upgraded Apache Tomcat 7.0.82.
Apache HTTP Server is upgraded to Apache HTTP Server 2.4.29.
Which is not affected by CVE-2007-6750 Slow HTTP POST vulnerability.
This vulnerability is not caused by any CA Access Gateway code changes or configuration changes inside the SSO product. Due to large amount of open source vulnerabilities updated in periodical basis, Standard SSO documentation can not realistically cover all 3rd party vulnerabilities security community has discovered.
This is purely an apache defect, apache.org addressed this bug by changing the code in apache and suggested modifications to httpd.conf.
Customer should follow the advice to change apache configuration from httpd.conf, including something like:
<IfModule mod_reqtimeout.c>
RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500
</IfModule>
Earlier release of CA proxy server may have older version apache than 2.2.15, then those releases will not have mod_reqtimeout.c built-in, thus the steps here will not apply. Customer should upgrade CA proxy server to later release.
CA Access Gateway: 12.7.02, which has upgraded Apache Tomcat 7.0.82.
Apache HTTP Server is upgraded to Apache HTTP Server 2.4.29.
Which is not affected by CVE-2007-6750 Slow HTTP POST vulnerability.
This vulnerability is not caused by any CA Access Gateway code changes or configuration changes inside the SSO product. Due to large amount of open source vulnerabilities updated in periodical basis, Standard SSO documentation can not realistically cover all 3rd party vulnerabilities security community has discovered.
This is purely an apache defect, apache.org addressed this bug by changing the code in apache and suggested modifications to httpd.conf.
Customer should follow the advice to change apache configuration from httpd.conf, including something like:
<IfModule mod_reqtimeout.c>
RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500
</IfModule>
Earlier release of CA proxy server may have older version apache than 2.2.15, then those releases will not have mod_reqtimeout.c built-in, thus the steps here will not apply. Customer should upgrade CA proxy server to later release.
Additional Information
https://documentation.cpanel.net/display/EA/How+To+Mitigate+Slowloris+Attacks
https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
https://www.cvedetails.com/cve/CVE-2007-6750/
https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
https://www.cvedetails.com/cve/CVE-2007-6750/
Feedback
Yes
No
Powered by
