986214 – (CVE-2013-4284) CVE-2013-4284 cumin: Denial of service due to improper handling of certain Ajax requests

Bug 986214 (CVE-2013-4284) - CVE-2013-4284 cumin: Denial of service due to improper handling of certain Ajax requests

Summary: CVE-2013-4284 cumin: Denial of service due to improper handling of certain Aj...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-4284
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	980366 983134 1014282
Blocks:	986234
TreeView+	depends on / blocked

Reported:	2013-07-19 09:08 UTC by Jan Lieskovsky
Modified:	2021-10-20 10:39 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2021-10-20 10:39:48 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:1294	0	normal	SHIPPED_LIVE	Moderate: Red Hat Enterprise MRG Grid 2.4 security update	2013-10-01 20:35:50 UTC
Red Hat Product Errata	RHSA-2013:1295	0	normal	SHIPPED_LIVE	Moderate: Red Hat Enterprise MRG Grid 2.4 security update	2013-10-01 20:35:36 UTC

Description Jan Lieskovsky 2013-07-19 09:08:30 UTC

A denial of service flaw was found in the way cumin, a unified management interface for the Messaging, Realtime, and Grid components of MRG, used to previously process certain Ajax update queries (the count of entries to be handled within one Ajax query was not limited for upper bound, processing of duplicate identical entries weren't optimized previously for effectiveness - to mention some examples). By issuing a specially-crafted Ajax request, a remote attacker could use this flaw to cause denial (excessive use of system CPU time and memory, possibly leading to cumin daemon to beterminated by OOM killer) of the cumin services.

This issue was found by Tomas Novacik of Red Hat.

Comment 3 Vincent Danen 2013-10-01 15:43:03 UTC

Created cumin tracking bugs for this issue:

Affects: fedora-all [bug 1014282]

Comment 4 errata-xmlrpc 2013-10-01 16:47:31 UTC

This issue has been addressed in following products:

  MRG for RHEL-5 v. 2

Via RHSA-2013:1295 https://rhn.redhat.com/errata/RHSA-2013-1295.html

Comment 5 errata-xmlrpc 2013-10-01 16:53:09 UTC

This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:1294 https://rhn.redhat.com/errata/RHSA-2013-1294.html

Note You need to log in before you can comment on or make changes to this bug.