[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2019-10222: ceph: unauthenticated clients can crash RGW
From: Alexandros Toptsoglou <atoptsoglou () suse ! com>
Date: 2019-08-28 15:27:48
Message-ID: 7ade7a65-f829-c4f6-66b5-ee334eaebf68 () suse ! com
[Download RAW message or body]
[Attachment #2 (multipart/mixed)]
Hi all,
an improper exception handling was found in RGW component of Ceph.
Please find the details below.
CVE-2019-10222: ceph: unauthenticated clients can crash RGW
Affected versions:
Nautilus (version 14.2.X)
Mimic (version 13.2.X)
Luminous (version 12.2.X) only if an experimental feature is enabled in
ceph.conf:
enable_experimental_unrecoverable_data_corrupting_features=true
enable experimental unrecoverable data corrupting features =
rgw-beast-frontend
Description:
An improper exception condition handling in Ceph allows to any single
unauthenticated
client to crash RGW component of Ceph by sending a special crafted HTTP
request which lead
to denial of service.
The vulnerability affects the RGW component of Ceph, specifically the
ceph-radosgw.
Mitigation:
Apply the fix of pull request in https://github.com/ceph/ceph/pull/29967
Timeline:
- 2019-08-07: Issue discovered.
- 2019-08-08: Issue reported to security@ceph.io
- 2019-08-16: Coordinated release date set on 28th
- 2019-08-28: Disclosure
Reference:
https://bugzilla.suse.com/show_bug.cgi?id=1145093
Credit:
This vulnerability was discovered by Abhishek Lekshmanan of SUSE
Software Solutions Germany GmbH
--
Alexandros Toptsoglou <atoptsoglou@suse.com>
Security Engineer
OpenPGP fingerprint: C270 3848 AA4A 783A 9848 BB06 56A3 3D9C B652 1869
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nuremberg
Germany
(HRB 247165, AG München)
Managing Director: Felix Imendörffer
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic