Impact: Important Public Date: 2019-02-11 CWE: CWE-400 Bugzilla: 1656852: CVE-2019-3821 ceph: radosgw: Resource exhaustion via TCP connection to port serving the SSL endpoint A flaw was found in the way civetweb frontend was handling requests for ceph RGW server with SSL enabled. An unauthenticated attacker could create multiple connections to ceph RADOS gateway to exhaust file descriptors for ceph-radosgw service resulting in a remote denial of service.
Find out more about CVE-2019-3821 from the MITRE CVE dictionary dictionary and NIST NVD.
This flaw does not affect ceph version as shipped with Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 7.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | None |
| Availability Impact | High |
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 7 | ceph-common | Not affected |
| Red Hat Ceph Storage 3 | ceph | Not affected |
| Red Hat Ceph Storage 2 | ceph | Not affected |
Vulmon