Date: Wed, 28 Aug 2019 15:27:48 +0000 From: Alexandros Toptsoglou <atoptsoglou@...e.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE-2019-10222: ceph: unauthenticated clients can crash RGW Hi all, an improper exception handling was found in RGW component of Ceph. Please find the details below. CVE-2019-10222: ceph: unauthenticated clients can crash RGW Affected versions: Nautilus (version 14.2.X) Mimic (version 13.2.X) Luminous (version 12.2.X) only if an experimental feature is enabled in ceph.conf: enable_experimental_unrecoverable_data_corrupting_features=true enable experimental unrecoverable data corrupting features = rgw-beast-frontend Description: An improper exception condition handling in Ceph allows to any single unauthenticated client to crash RGW component of Ceph by sending a special crafted HTTP request which lead to denial of service. The vulnerability affects the RGW component of Ceph, specifically the ceph-radosgw. Mitigation: Apply the fix of pull request in https://github.com/ceph/ceph/pull/29967 Timeline: - 2019-08-07: Issue discovered. - 2019-08-08: Issue reported to security@...h.io - 2019-08-16: Coordinated release date set on 28th - 2019-08-28: Disclosure Reference: https://bugzilla.suse.com/show_bug.cgi?id=1145093 Credit: This vulnerability was discovered by Abhishek Lekshmanan of SUSE Software Solutions Germany GmbH -- Alexandros Toptsoglou <atoptsoglou@...e.com> Security Engineer OpenPGP fingerprint: C270 3848 AA4A 783A 9848 BB06 56A3 3D9C B652 1869 SUSE Software Solutions Germany GmbH Maxfeldstr. 5 90409 Nuremberg Germany (HRB 247165, AG München) Managing Director: Felix Imendörffer Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.