High CPU usage after Qualys scan - persists until restart

Started by proxyman, January 03, 2023, 12:25:15 PM

Previous topic - Next topic

proxyman

When we run a Qualys Vulnerability scan (Network scan), Apache HTTPD configured as a Reverse Proxy (ApacheHaus dist. v.2.4.54 w/LibreSSL) ramps up to 25 percent CPU utilization and stays at this until a reboot. If a scan is run again, this ramps up to 50 percent CPU utilization for httpd.exe.


This was not observed with version 2.4.46 w/LibreSSL, with the same loaded modules:
Loaded Modules: (static) core_module, win32_module, mpm_winnt_module, http_module, so_module
(shared) dir_module, alias_module, log_config_module, authn_core_module, authz_core_module, headers_module, lbmethod_byrequests_module, proxy_module, proxy_balancer_module, proxy_http_module, rewrite_module, slotmem_shm_module, socache_shmcb_module, ssl_module, include_module, status_module, proxy_wstunnel_module, env_module

How can we mitigate this behavior or fix it? Qualys itself does not report any Apache HTTPD specific vulnerabilities, but the system slows down after every scan(Server VMs - w/dedicated resources 32GB RAM + Xeon quad-core CPU). Apache's logs are clear without errors around re-negotiation (Ref: https://success.qualys.com/discussions/s/question/0D52L00004TnxccSAB/apache-threads-stuck-at-100-after-scan). The timeout period is 1 hour in the configuration (for some long-running operations), but as seen from the screenshot above, the CPU usage does not drop after an hour, so it's unlikely to be existing sessions which are waiting to timeout.

Rebooting the servers after a vulnerability scan is not an option as these are production systems running multiple critical services. Any help or pointers would be appreciated. Thank you.


mario

Hi!
mod_security is a valid option to stop such things.

proxyman

Thanks, Mario. When we had last evaluated mod_security, there was a handle leak issue which was reported to crash httpd.exe which is why we didn't include it. Has that issue been resolved in version 2.9.5? And also, this wasn't an issue reported in version 2.4.46.

Steffen

Yes the handle leak is fixed at Apachelounge VS16 2.9.5 and VS17 2,9.6. 

Background see https://www.apachelounge.com/viewtopic.php?p=40768#40768 

Not sure if Apachehause has also fixed IN APR.

proxyman

Thank you, Steffen! I'll check it out with the latest version and report if I experience the mem leak.