<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2019-10222: ceph: unauthenticated clients can crash RGW
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Alexandros Toptsoglou <atoptsoglou () suse com>
Date: Wed, 28 Aug 2019 15:27:48 +0000
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi all,
an improper exception handling was found in RGW component of Ceph.
Please find the details below.
CVE-2019-10222: ceph: unauthenticated clients can crash RGW
Affected versions:
Nautilus (version 14.2.X)
Mimic (version 13.2.X)
Luminous (version 12.2.X) only if an experimental feature is enabled in
ceph.conf:
enable_experimental_unrecoverable_data_corrupting_features=true
enable experimental unrecoverable data corrupting features =
rgw-beast-frontend
Description:
An improper exception condition handling in Ceph allows to any single
unauthenticated
client to crash RGW component of Ceph by sending a special crafted HTTP
request which lead
to denial of service.
The vulnerability affects the RGW component of Ceph, specifically the
ceph-radosgw.
Mitigation:
Apply the fix of pull request in https://github.com/ceph/ceph/pull/29967
Timeline:
- 2019-08-07: Issue discovered.
- 2019-08-08: Issue reported to security () ceph io
- 2019-08-16: Coordinated release date set on 28th
- 2019-08-28: Disclosure
Reference:
https://bugzilla.suse.com/show_bug.cgi?id=1145093
Credit:
This vulnerability was discovered by Abhishek Lekshmanan of SUSE
Software Solutions Germany GmbH
--
Alexandros Toptsoglou <atoptsoglou () suse com>
Security Engineer
OpenPGP fingerprint: C270 3848 AA4A 783A 9848 BB06 56A3 3D9C B652 1869
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nuremberg
Germany
(HRB 247165, AG München)
Managing Director: Felix Imendörffer
Attachment:
signature.asc
Description: OpenPGP digital signature
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2019-10222: ceph: unauthenticated clients can crash RGW Alexandros Toptsoglou (Aug 28)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->