oss-sec mailing list archives
CVE-2021-3531: Ceph: RGW unauthenticated denial of service
From: Ana McTaggart <amctagga () redhat com>
Date: Fri, 14 May 2021 15:16:37 -0400
Hello, A flaw was found in the Red Hat Ceph Storage RGW. When processing a GET Request for a swift URL that ends with two slashes it can cause the rgw to crash, resulting in a denial of service. We have assigned it a CVE of CVE-2021-3531 and a patch is attached. Fixes may be found here: Nautilus: https://github.com/ceph/ceph/commit/f44a8ae8aa27ecef69528db9aec220f12492810e Octopus: https://github.com/ceph/ceph/commit/b87e64e3206210580f4a6df2d77f9ae3f1033039 Pacific: https://github.com/ceph/ceph/commit/bf06990ab41d7ac299e4441ad9cd434e926a18e7 Ana McTaggart Red Hat Product Security Red Hat Remote <https://www.redhat.com> secalert () redhat com for urgent response amct () redhat com M: +1 (774)279-0791 <7742790791> IM: amctagga Pronouns:They/Them/Theirs
Attachment:
0001-rgw-sanitize-r-in-s3-CORSConfiguration-s-ExposeHeade.patch
Description:
Current thread:
- CVE-2021-3531: Ceph: RGW unauthenticated denial of service Ana McTaggart (May 14)
- Re: CVE-2021-3531: Ceph: RGW unauthenticated denial of service Ana McTaggart (May 17)