Bug 891922 (CVE-2013-0281)

Summary: CVE-2013-0281 pacemaker: remote DoS when CIB management is enabled caused by use of blocking sockets
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abeekhof, agk, cluster-maint, dvossel, jrusnack, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20130214,reported=20130103,source=redhat,cvss2=2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P,rhel-6/pacemaker=affected,fedora-all/pacemaker=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-22 05:20:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 891766, 911291    
Bug Blocks: 891925, 974906    

Description Jan Lieskovsky 2013-01-04 13:44:18 UTC
A denial of service flaw was found in the way Pacemaker, an advanced, scalable high-availability cluster resource manager for Linux-HA (Heartbeat) and/or Corosync, performed authentication and processing of remote connections in certain circumstances. In general Pacemaker used a blocking socket (without a timeout) to wait for authentication credentials to arrive. When Pacemaker was configured to allow remote Cluster Information Base (CIB) cluster's configuration / cluster's resources management, a remote attacker could use this flaw to cause Pacemaker to block indefinitely (preventing it from serving another requests).

Important Note: In the default configuration of Pacemaker in Red Hat Enterprise Linux 6 the remote CIB management feature / functionality is turned off.

Comment 1 Jan Lieskovsky 2013-01-04 13:46:15 UTC
This issue was found by David Vossel of Red Hat.

Comment 3 Jan Lieskovsky 2013-01-04 13:59:46 UTC
This issue affects the version of the pacemaker package, as shipped with Red Hat Enterprise Linux 6.


This issue affects the versions of the pacemaker package, as shipped with Fedora release of 16 and 17.

Comment 4 Jan Lieskovsky 2013-02-13 15:38:59 UTC
The CVE identifier of CVE-2013-0281 has been assigned to this issue.

Comment 5 Jan Lieskovsky 2013-02-14 10:27:46 UTC
Relevant upstream patch:

Comment 6 Jan Lieskovsky 2013-02-14 16:41:57 UTC
Created pacemaker tracking bugs for this issue

Affects: fedora-all [bug 911291]

Comment 8 errata-xmlrpc 2013-11-21 11:55:19 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1635 https://rhn.redhat.com/errata/RHSA-2013-1635.html

Comment 9 Huzaifa S. Sidhpurwala 2013-11-22 05:20:30 UTC