A denial of service flaw was found in the way Pacemaker, an advanced, scalable high-availability cluster resource manager for Linux-HA (Heartbeat) and/or Corosync, performed authentication and processing of remote connections in certain circumstances. In general Pacemaker used a blocking socket (without a timeout) to wait for authentication credentials to arrive. When Pacemaker was configured to allow remote Cluster Information Base (CIB) cluster's configuration / cluster's resources management, a remote attacker could use this flaw to cause Pacemaker to block indefinitely (preventing it from serving another requests).
Important Note: In the default configuration of Pacemaker in Red Hat Enterprise Linux 6 the remote CIB management feature / functionality is turned off.
This issue was found by David Vossel of Red Hat.
This issue affects the version of the pacemaker package, as shipped with Red Hat Enterprise Linux 6.
This issue affects the versions of the pacemaker package, as shipped with Fedora release of 16 and 17.
The CVE identifier of CVE-2013-0281 has been assigned to this issue.
Relevant upstream patch:
Created pacemaker tracking bugs for this issue
Affects: fedora-all [bug 911291]
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:1635 https://rhn.redhat.com/errata/RHSA-2013-1635.html