Header Only - DO NOT REMOVE - Extreme Networks

IdentiFi Wireless Controller f/w 8.21.06.0006 reporting High CPU Utilization for HTTPD Process


Userlevel 3
Article ID: 15085

Products
C20, C25, C4110, C5110, C5210, V2110; firmware 8.11.01.0161 through 8.21.06.0006
IdentiFi (formerly Enterasys, HiPath) Wireless Controller

Symptoms
Users are unable to connect to the Wireless network.
-and/or-
Overall client performance issues, such as poor connections, dropped connections, or spotty coverage.
-and/or-
Controller Web GUI is slow to respond after clicking on a web site.

Cause
A vulnerability (CVE-2011-3192) patch update has broken a section of the Apache functionality, causing certain requests to use all of the HTTPD CPU cycles.

Solution
This is fixed as of f/w 8.21.07.0006, with a more complete fix as of f/w 8.21.08.0005.

Upgrade to firmware 8.21.08.0005 or higher.
Release notes state, in the 'Changes in 8.21.07.0006' section:
code:
wns0009142
code:
Solution to protect against denial of service attack disallows partial gets as explained in Known Issues section.

Release notes state, in the 'Changes in 8.21.08.0005' section:
code:
wns0009142
code:
Solution to protect against denial of service attack by disabling partial gets as explained in KB.


The accompanying item in the 'Deployment Notes and Known Issues' section:
[code]Wns0009142 – info[/code]
code:
The controller will respond to HTTP requests containing the Range header with a Forbidden (403) error. This is to address current Denial of Service attacks that use the Range header. Range headers are used to download parts of a file through HTTP. They are not useful when dealing with the controller since most of its HTTP-downloadable files are small (e.g. graphics) or have a short lifetime (e.g. logs).

0 replies

Be the first to reply!

Reply