oss-sec mailing list archives
Re: CVE request - ganglia
From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 3 Feb 2009 16:39:16 -0500 (EST)
updated to a "reject". ====================================================== Name: CVE-2009-0242 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0242 Reference: MLIST:[Ganglia-developers] 20090113 patches for: [Sec] Gmetad server BoF and network overload + [Feature] multiple requests per conn on interactive port Reference: URL:http://www.mail-archive.com/ganglia-developers () lists sourceforge net/msg04929.html Reference: MLIST:[Ganglia-developers] 20090123 Re: CVE Reference: URL:http://www.mail-archive.com/ganglia-developers () lists sourceforge net/msg04969.html Reference: MLIST:[Ganglia-developers] 20090123 Re: CVE Reference: URL:http://www.mail-archive.com/ganglia-developers () lists sourceforge net/msg04973.html Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0242#c1 Reference: XF:ganglia-gmetad-dos(48166) Reference: URL:http://xforce.iss.net/xforce/xfdb/48166 ** REJECT ** gmetad in Ganglia 3.1.1, when supporting multiple requests per connection on an interactive port, allows remote attackers to cause a denial of service via a request to the gmetad service with a path does not exist, which causes Ganglia to (1) perform excessive CPU computation and (2) send the entire tree, which consumes network bandwidth. NOTE: the vendor and original researcher have disputed this issue, since legitimate requests can generate the same amount of resource consumption. CVE concurs with the dispute, so this identifier should not be used.
Current thread:
- CVE request - ganglia Tomas Hoger (Jan 15)
- Re: CVE request - ganglia Steven M. Christey (Jan 20)
- Re: CVE request - ganglia Tomas Hoger (Jan 26)
- Re: CVE request - ganglia Steven M. Christey (Feb 03)
- Re: CVE request - ganglia Tomas Hoger (Jan 26)
- Re: CVE request - ganglia Steven M. Christey (Jan 20)