Qualys: Scanner Appliance: 64.39.99.243 (Scanner 11.5.21-1, Vulnerability Signatures 2.4.694-2) Our production apache http 2.4.37 server running with openssl 1.1.1a have been getting hit with qualys scans like clockwork and every time our CPU goes to 100% and after more scans to 200% CPU. After reading the bug reports I upgraded to 2.4.38 which made no difference. I then upgraded to the latest stable version httpd 2.4.41 and ran with the latest stable openssl v1.1.1c and get the same issue. I also tried configuring TLS from tlsv 1.2 and tlsv1.3 to only tlsv1.2 and still have 100% cpu after 1 qualy community scan I also tried to deny service with SSLRequire on the IPs 64.39.103, 64.39.99, 64.39.111 and also RequireAll and trying combinations but nothing stops the 100% CPU so far. The qualys scan is repeatable and Iām using standard configurations and builds on RedHat Linux, although an older Red Hat Enterprise Linux Server release 5.11 (Tikanga). apr-1.6.5 expat-2.2.6 apr-util-1.6.1 pcre-8.42 openssl_1.1.1a, httpd 2.4.37, 2.4.38 openssl_1.1.1c, httpd 2.4.41 ./configure --prefix=/opt/fedex/fxnet/vendor/apache/2.4.41 --with-pcre=/vendor/apache/pcre-8.42 --with-ssl=//vendor/apache/openssl_1.1.1c --with-z=/vendor/apache/zlib-1.2.11 --enable-ssl --enable-shared --enable-deflate --enable-mime --enable-dbd --enable-socache-shmcb --with-apr= /vendor/apache/apr-1.6.5 --with-apr-util=/vendor/apache/apr-util-1.6.1 Tried but failed, trying combinations: <Directory / > Options FollowSymLinks AllowOverride None <RequireAll> Require all denied Require not ip 64.39.111 Require not ip 64.39.103 Require not ip 64.39.99 </RequireAll> </Directory>
Rebuilt with worker mpm from default prefork and issue went away. Insured all modules linked properly.