[asterisk-bugs] [JIRA] (ASTERISK-23673) Security: DOS by consuming the number of allowed HTTP connections.
Matt Jordan (JIRA)
noreply at issues.asterisk.org
Fri Jun 13 01:43:56 CDT 2014
[ https://issues.asterisk.org/jira/browse/ASTERISK-23673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Jordan updated ASTERISK-23673:
-----------------------------------
Target Release Version/s: (was: 12.3.1)
(was: 11.10.1)
(was: 1.8.28.1)
1.8.28.2
11.10.2
12.3.2
> Security: DOS by consuming the number of allowed HTTP connections.
> ------------------------------------------------------------------
>
> Key: ASTERISK-23673
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-23673
> Project: Asterisk
> Issue Type: Bug
> Components: Core/HTTP
> Affects Versions: 1.8.27.0, 11.9.0, 12.2.0
> Reporter: Richard Mudgett
> Assignee: Richard Mudgett
> Severity: Critical
> Labels: Security
> Target Release: 1.8.28.2, 11.10.2, 12.3.2
>
>
> Simply establishing a TCP connection and never sending anything to the configured HTTP port in http.conf will tie up a HTTP connection. Since there is a maximum number of open HTTP sessions allowed at a time you can block legitimate connections.
> A similar problem exists if a HTTP request is started but never finished.
> A timeout needs to be implemented to mitigate this kind of attack.
> I'm fairly certain that this has always existed in Asterisk's HTTP implementation. It has just become more serious with the addition of ARI.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list