Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 2 Sep 2016 02:48:30 +0000 (UTC)
From: Diogo Monica <diogo.monica@...ker.com>
To: oss-security <oss-security@...ts.openwall.com>, 
	oss-security@...ts.openwall.com
Subject: Re: Re: cve request: docker swarmkit Dos occurs by
 repeatly joining and quitting swam cluster as a node

Can you please describe how this vulnerability makes a worker node be able to administer the swarm?






On Thu, Sep 1, 2016 at 7:12 PM -0700, "Kurt Seifried" <kseifried@...hat.com> wrote:










On Thu, Sep 1, 2016 at 5:17 PM, Diogo Mónica 
wrote:

> A few weeks ago (Aug 4, 2016), a CVE (CVE-2016-6595) describing a DoS on
> docker swarm got issued. We believe this not a real issue, and would like
> to have the CVE rescinded.
>
> The person reporting this "vulnerability" is exhausting the resources of a
> remote manager by doing hundreds of join/leave operations without removing
> the state that is left by old nodes. At some point the manager obviously
> stops being able to accept new nodes, since it runs out of memory.
>
> Given that both for Docker swarm and for Docker Swarmkit nodes are
> *required* to provide a secret token (it's actually the only mode of
> operation), this means that no adversary can simply join nodes and exhaust
> manager resources.
>
> We can't do anything about a manager running out of memory and not being
> able to add new legitimate nodes to the system. This is merely a resource
> provisioning issue, and definitely not a CVE worthy vulnerability.
>

I checked the documentation and it looks like a worker node is only
supposed to work and is not supposed to be able to administer the swarm. As
such this is a trust boundary violation, and needs a CVE.



> Thank you,
> --
> Diogo Mónica
>



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com






Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ