Bug 891922 (CVE-2013-0281) - CVE-2013-0281 pacemaker: remote DoS when CIB management is enabled caused by use of blocking sockets
Summary: CVE-2013-0281 pacemaker: remote DoS when CIB management is enabled caused by ...
Alias: CVE-2013-0281
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 891766 911291
Blocks: 891925 974906
TreeView+ depends on / blocked
Reported: 2013-01-04 13:44 UTC by Jan Lieskovsky
Modified: 2021-02-17 08:14 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-11-22 05:20:30 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1635 0 normal SHIPPED_LIVE Low: pacemaker security, bug fix, and enhancement update 2013-11-20 21:53:44 UTC

Description Jan Lieskovsky 2013-01-04 13:44:18 UTC
A denial of service flaw was found in the way Pacemaker, an advanced, scalable high-availability cluster resource manager for Linux-HA (Heartbeat) and/or Corosync, performed authentication and processing of remote connections in certain circumstances. In general Pacemaker used a blocking socket (without a timeout) to wait for authentication credentials to arrive. When Pacemaker was configured to allow remote Cluster Information Base (CIB) cluster's configuration / cluster's resources management, a remote attacker could use this flaw to cause Pacemaker to block indefinitely (preventing it from serving another requests).

Important Note: In the default configuration of Pacemaker in Red Hat Enterprise Linux 6 the remote CIB management feature / functionality is turned off.

Comment 1 Jan Lieskovsky 2013-01-04 13:46:15 UTC
This issue was found by David Vossel of Red Hat.

Comment 3 Jan Lieskovsky 2013-01-04 13:59:46 UTC
This issue affects the version of the pacemaker package, as shipped with Red Hat Enterprise Linux 6.


This issue affects the versions of the pacemaker package, as shipped with Fedora release of 16 and 17.

Comment 4 Jan Lieskovsky 2013-02-13 15:38:59 UTC
The CVE identifier of CVE-2013-0281 has been assigned to this issue.

Comment 5 Jan Lieskovsky 2013-02-14 10:27:46 UTC
Relevant upstream patch:

Comment 6 Jan Lieskovsky 2013-02-14 16:41:57 UTC
Created pacemaker tracking bugs for this issue

Affects: fedora-all [bug 911291]

Comment 8 errata-xmlrpc 2013-11-21 11:55:19 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1635 https://rhn.redhat.com/errata/RHSA-2013-1635.html

Comment 9 Huzaifa S. Sidhpurwala 2013-11-22 05:20:30 UTC


Note You need to log in before you can comment on or make changes to this bug.