Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7ade7a65-f829-c4f6-66b5-ee334eaebf68@suse.com>
Date: Wed, 28 Aug 2019 15:27:48 +0000
From: Alexandros Toptsoglou <atoptsoglou@...e.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2019-10222: ceph: unauthenticated clients can crash RGW

Hi all,

an improper exception handling was found in RGW component of Ceph.
Please find the details below.

CVE-2019-10222: ceph: unauthenticated clients can crash RGW

Affected versions:
Nautilus (version 14.2.X)
Mimic (version 13.2.X)
Luminous (version 12.2.X) only if an experimental feature is enabled in
ceph.conf:
  enable_experimental_unrecoverable_data_corrupting_features=true
  enable experimental unrecoverable data corrupting features =
rgw-beast-frontend


Description:
An improper exception condition handling in Ceph allows to any single
unauthenticated
client to crash RGW component of Ceph by sending a special crafted HTTP
request which lead
to denial of service.
The vulnerability affects the RGW component of Ceph, specifically the
ceph-radosgw.

Mitigation:
Apply the fix of pull request in https://github.com/ceph/ceph/pull/29967

Timeline:
- 2019-08-07: Issue discovered.
- 2019-08-08: Issue reported to security@...h.io
- 2019-08-16: Coordinated release date set on 28th
- 2019-08-28: Disclosure

Reference:
https://bugzilla.suse.com/show_bug.cgi?id=1145093

Credit:
This vulnerability was discovered by Abhishek Lekshmanan of SUSE
Software Solutions Germany GmbH
-- 
Alexandros Toptsoglou <atoptsoglou@...e.com>
Security Engineer
OpenPGP fingerprint: C270 3848 AA4A 783A 9848  BB06 56A3 3D9C B652 1869

SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nuremberg
Germany
(HRB 247165, AG München)
Managing Director: Felix Imendörffer



Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.