Bug 1656852 (CVE-2019-3821)
| Summary: | CVE-2019-3821 ceph: radosgw: Resource exhaustion via TCP connection to port serving the SSL endpoint | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | branto, danmick, david, fedora, i, josef, kkeithle, loic, ramkrsna, security-response-team, sisharma, steve |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the way civetweb frontend was handling requests for ceph RGW server with SSL enabled. An unauthenticated attacker could create multiple connections to ceph RADOS gateway to exhaust file descriptors for ceph-radosgw service resulting in a remote denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-04-24 15:25:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1674929 | ||
| Bug Blocks: | 1656854 | ||
|
Description
Pedro Sampaio
2018-12-06 13:24:10 UTC
External References: https://github.com/ceph/civetweb/pull/33 Created ceph tracking bugs for this issue: Affects: fedora-all [bug 1674929] Statement: This flaw does not affect ceph version as shipped with Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3. |