Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-8660

BZ#1934210 Bad HTTP method requests filling up /var/log/messages with stack traces

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • 6.12.0
    • 6.7.0
    • SAT QE
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • 2,950
    • Undefined
    • None

      https://bugzilla.redhat.com/show_bug.cgi?id=1934210 - Description of problem:
      When httpd in Satellite receives a request with an invalid HTTP method, it logs the condition to /var/log/httpd/error_log with the following text:

      [ 2021-02-14 10:09:15.7381 28224/7f6e0e815700 Pool2/Implementation.cpp:1274 ]: [App 28283 stderr] [ 2021-02-14 10:09:15.7380 6537/0x000000000c291948(Worker 1) utils.rb:74 ]: *** Exception ActionController::UnknownHttpMethod in Rack application object (ABCD, accepted HTTP methods are OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, VERSION-CONTROL, REPORT, CHECKOUT, CHECKIN, UNCHECKOUT, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE-CONTROL, MKACTIVITY, ORDERPATCH, ACL, SEARCH, MKCALENDAR, and PATCH) (process 6537, thread 0x000000000c291948(Worker 1)):

      This is reasonable, but after that there are 33 more lines of stack trace:

      [ 2021-03-02 17:21:13.0880 40626/7f438426d700 Pool2/Implementation.cpp:1274 ]: [App 40766 stderr] from /opt/theforeman/tfm/root/usr/share/gems/gems/actionpack-6.0.3.1/lib/action_dispatch/http/request.rb:431:in `check_method'
      [ 2021-03-02 17:21:13.0880 40626/7f438426d700 Pool2/Implementation.cpp:1274 ]: [App 40766 stderr] from /opt/theforeman/tfm/root/usr/share/gems/gems/actionpack-6.0.3.1/lib/action_dispatch/http/request.rb:143:in `request_method'
      [...]

      A Qualys security scanner is regularly hitting the Satellite with bad HTTP methods and this is filling up the filesystem where /var/log/httpd/ resides.

      Version-Release number of selected component (if applicable):
      satellite-6.7.1-1.el7sat.noarch

      How reproducible:
      Always

      Steps to Reproduce:
      1. Issue a bad HTTP method to httpd in Satellite:
      $ curl -X ABCD http://<fqdn_of_satellite>

      Actual results:
      The above line is logged to /var/log/httpd/error.log followed by 30+ lines of stack trace.

      Expected results:
      Only the above line is logged to /var/log/httpd/error.log .

      Additional info:
      This condition is being triggered very frequently by a Qualys security scanner sending all sorts of bad methods to the Satellite:

      $ grep "accepted HTTP methods are" error_log | awk '

      {print $24}

      ' | sed -e 's/^(//' -e 's/,$//' | sort | uniq -c
      57 ABCD
      18 BADMETHOD
      60 BADMTHD
      18 BDMTHD
      18 CFYZ
      18 DEBUG
      143 get
      18 INDEX
      38 QUALYS
      37 rndmmtd
      18 RNDMMTD
      72 TRACK

      The resulting stack traces are filling up the filesystem where /var/log resides making the Satellite unavailable.
      The same behaviour is observable on Satellite 6.8.

            lpramuk Lukas Pramuk
            jira-bugzilla-migration RH Bugzilla Integration
            Lukas Pramuk Lukas Pramuk
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: