Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAOo2v=A-zfgSrFy73_XMGxV4FbV_fv3Ptj_JdWa3W6U=iowWsA@mail.gmail.com>
Date: Sat, 1 Feb 2020 01:17:26 +0530
From: Hardik Vyas <hvyas@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2020-1700 ceph: connection leak in the RGW Beast front-end
 permits a DoS against the RGW server

Hello,

A flaw was found in the way the Ceph RGW Beast front-end handles unexpected
disconnects.
An authenticated attacker can abuse this flaw by making multiple disconnect
attempts resulting
in a permanent leak of a socket connection by radosgw. This flaw could lead
to a denial of service
condition by pile up of CLOSE_WAIT sockets, eventually leading to the
exhaustion of available
resources, preventing legitimate users from connecting to the system.

This flaw affects Nautilus based versions. If Beast front end is in use,
switch to CivetWeb to mitigate
the issue. Red Hat has assigned CVE-2020-1700 and rated as Moderate impact
flaw.

PR: https://github.com/ceph/ceph/pull/33017
Patch:
https://github.com/ceph/ceph/commit/ff72c50a2c43c57aead933eb4903ad1ca6d1748a

Credit: Or Friedmann(Red Hat)

Regards,
-- 

Hardik Vyas / Red Hat Product Security

BD48 C633 DE34 733A BBC3  3B72 8A14 AEBB D68B 9381

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.