oss-sec mailing list archives
CVE-2019-10222: ceph: unauthenticated clients can crash RGW
From: Alexandros Toptsoglou <atoptsoglou () suse com>
Date: Wed, 28 Aug 2019 15:27:48 +0000
Hi all, an improper exception handling was found in RGW component of Ceph. Please find the details below. CVE-2019-10222: ceph: unauthenticated clients can crash RGW Affected versions: Nautilus (version 14.2.X) Mimic (version 13.2.X) Luminous (version 12.2.X) only if an experimental feature is enabled in ceph.conf: enable_experimental_unrecoverable_data_corrupting_features=true enable experimental unrecoverable data corrupting features = rgw-beast-frontend Description: An improper exception condition handling in Ceph allows to any single unauthenticated client to crash RGW component of Ceph by sending a special crafted HTTP request which lead to denial of service. The vulnerability affects the RGW component of Ceph, specifically the ceph-radosgw. Mitigation: Apply the fix of pull request in https://github.com/ceph/ceph/pull/29967 Timeline: - 2019-08-07: Issue discovered. - 2019-08-08: Issue reported to security () ceph io - 2019-08-16: Coordinated release date set on 28th - 2019-08-28: Disclosure Reference: https://bugzilla.suse.com/show_bug.cgi?id=1145093 Credit: This vulnerability was discovered by Abhishek Lekshmanan of SUSE Software Solutions Germany GmbH -- Alexandros Toptsoglou <atoptsoglou () suse com> Security Engineer OpenPGP fingerprint: C270 3848 AA4A 783A 9848 BB06 56A3 3D9C B652 1869 SUSE Software Solutions Germany GmbH Maxfeldstr. 5 90409 Nuremberg Germany (HRB 247165, AG München) Managing Director: Felix Imendörffer
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2019-10222: ceph: unauthenticated clients can crash RGW Alexandros Toptsoglou (Aug 28)