Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 14 Feb 2013 11:47:47 -0500 (EST)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        David Vossel <dvossel@...hat.com>,
        Andrew Beekhof <abeekhof@...hat.com>
Subject: [FYI / CVE assignment notification] CVE-2013-0281 pacemaker: Denial
 of service when remote CIB management enabled due to use of no-timeout
 blocking socket to wait for the arrival of the authentication credentials

Hello vendors,

* A denial of service flaw was found in the way Pacemaker,
an advanced, scalable high-availability cluster resource
manager for Linux-HA (Heartbeat) and/or Corosync, performed
authentication and processing of remote connections in certain
circumstances. In general Pacemaker used a blocking socket
(without a timeout) to wait for authentication credentials
to arrive. When Pacemaker was configured to allow remote
Cluster Information Base (CIB) cluster's configuration /
cluster's resources management, a remote attacker could use
this flaw to cause Pacemaker to block indefinitely
(preventing it from serving another requests).

* The CVE identifier of CVE-2013-0281 has been assigned to this issue.

* This issue was found by David Vossel of Red Hat.

* Relevant upstream patch:
[1] https://github.com/ClusterLabs/pacemaker/commit/564f7cc2a51dcd2f28ab12a13394f31be5aa3c93

* References:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0281

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ