Bug 1791691 (CVE-2020-1700) - CVE-2020-1700 ceph: connection leak in the RGW Beast front-end permits a DoS against the RGW server
Summary: CVE-2020-1700 ceph: connection leak in the RGW Beast front-end permits a DoS ...
Keywords:
Status: NEW
Alias: CVE-2020-1700
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1794358 1796995 1793038
Blocks: 1791692
TreeView+ depends on / blocked
 
Reported: 2020-01-16 11:37 UTC by Marian Rehak
Modified: 2020-02-11 01:36 UTC (History)
30 users (show)

Fixed In Version: ceph 14.2.4-125.el8cp, ceph 14.2.4-51.el7cp
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the Ceph RGW Beast front-end handles unexpected disconnects. An authenticated attacker can abuse this flaw by making multiple disconnect attempts resulting in a permanent leak of a socket connection by radosgw. This flaw could lead to a denial of service condition by pile up of CLOSE_WAIT sockets, eventually leading to the exhaustion of available resources, preventing legitimate users from connecting to the system.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2020-01-16 11:37:53 UTC
An unexpected disconnect during processing of some ops with Beast front-end configured (the default in rhcs-4.0) can lead to permanent leak of a socket connection by radosgw.

Comment 1 Hardik Vyas 2020-01-17 07:56:26 UTC
Mitigation:

If Beast front end is in use, switch to CivetWeb to mitigate the issue. The following is an example of the /etc/ceph/ceph.conf file:

<snip>
...
[client.rgw.node1]
rgw frontends = civetweb
...
</snip>

Comment 5 Hardik Vyas 2020-01-17 15:19:49 UTC
Acknowledgments:

Name: Or Friedman (Red Hat)

Comment 11 Hardik Vyas 2020-01-31 17:27:32 UTC
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1796995]

Comment 14 Anten Skrabec 2020-02-04 20:25:05 UTC
Removing affected from Openstack platform as versions shipped by ceph repositories are not affected.

Comment 15 Anten Skrabec 2020-02-11 01:36:12 UTC
Statement:

* Red Hat Ceph Storage 3 is not affected by this flaw, as beast is unsupported in the product.
* Red Hat Ceph Storage 4 is not affected by this flaw, as it is shipping patched version of ceph.
* Red Hat Openshift Container Storage 4.2 is affected by this flaw, as it is using the affected version of ceph.
* Red Hat OpenStack Platform 13 included some Ceph components at release for in order to support ppc64le. The version provided in the OpenStack repositories is outdated and customers are expected to be using versions provided in Ceph repositories now. Red Hat OpenStack Platform 13 operators should verify they are using Ceph repositories which are up to date and unaffected by this vulnerability.


Note You need to log in before you can comment on or make changes to this bug.