Date: Thu, 1 Sep 2016 20:53:42 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: Re: cve request: docker swarmkit Dos occurs by repeatly joining and quitting swam cluster as a node On Thu, Sep 1, 2016 at 8:48 PM, Diogo Monica <diogo.monica@...ker.com> wrote: > Can you please describe how this vulnerability makes a worker node be able > to administer the swarm? > It allows a worker node to disable and effectively shut down the swarm, I assume shutting down the swan is an administrative function, if not please let me know where the documentation for workers covers this (allowing a worker to shutdown the swarm). Thanks! > > > > > > > On Thu, Sep 1, 2016 at 7:12 PM -0700, "Kurt Seifried" < > kseifried@...hat.com> wrote: > > > > > > > > > > > On Thu, Sep 1, 2016 at 5:17 PM, Diogo Mónica > wrote: > > > A few weeks ago (Aug 4, 2016), a CVE (CVE-2016-6595) describing a DoS on > > docker swarm got issued. We believe this not a real issue, and would like > > to have the CVE rescinded. > > > > The person reporting this "vulnerability" is exhausting the resources of > a > > remote manager by doing hundreds of join/leave operations without > removing > > the state that is left by old nodes. At some point the manager obviously > > stops being able to accept new nodes, since it runs out of memory. > > > > Given that both for Docker swarm and for Docker Swarmkit nodes are > > *required* to provide a secret token (it's actually the only mode of > > operation), this means that no adversary can simply join nodes and > exhaust > > manager resources. > > > > We can't do anything about a manager running out of memory and not being > > able to add new legitimate nodes to the system. This is merely a resource > > provisioning issue, and definitely not a CVE worthy vulnerability. > > > > I checked the documentation and it looks like a worker node is only > supposed to work and is not supposed to be able to administer the swarm. As > such this is a trust boundary violation, and needs a CVE. > > > > > Thank you, > > -- > > Diogo Mónica > > > > > > -- > > -- > Kurt Seifried -- Red Hat -- Product Security -- Cloud > PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 > Red Hat Product Security contact: secalert@...hat.com > > > > > > -- -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ