Date: Sat, 1 Feb 2020 01:17:26 +0530 From: Hardik Vyas <hvyas@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2020-1700 ceph: connection leak in the RGW Beast front-end permits a DoS against the RGW server Hello, A flaw was found in the way the Ceph RGW Beast front-end handles unexpected disconnects. An authenticated attacker can abuse this flaw by making multiple disconnect attempts resulting in a permanent leak of a socket connection by radosgw. This flaw could lead to a denial of service condition by pile up of CLOSE_WAIT sockets, eventually leading to the exhaustion of available resources, preventing legitimate users from connecting to the system. This flaw affects Nautilus based versions. If Beast front end is in use, switch to CivetWeb to mitigate the issue. Red Hat has assigned CVE-2020-1700 and rated as Moderate impact flaw. PR: https://github.com/ceph/ceph/pull/33017 Patch: https://github.com/ceph/ceph/commit/ff72c50a2c43c57aead933eb4903ad1ca6d1748a Credit: Or Friedmann(Red Hat) Regards, -- Hardik Vyas / Red Hat Product Security BD48 C633 DE34 733A BBC3 3B72 8A14 AEBB D68B 9381
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.