oss-sec mailing list archives
Re: CVE request - ganglia
From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 20 Jan 2009 21:13:26 -0500 (EST)
Notice the second CVE for the bandwidth/CPU consumption. The attack scenario isn't completely clear to me, but since it's labeled as a DoS by the developer, I decided to include it. - Steve ====================================================== Name: CVE-2009-0241 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0241 Reference: MLIST:[Ganglia-developers] 20090113 patches for: [Sec] Gmetad server BoF and network overload + [Feature] multiple requests per conn on interactive port Reference: URL:http://www.mail-archive.com/ganglia-developers () lists sourceforge net/msg04929.html Reference: MISC:http://bugzilla.ganglia.info/cgi-bin/bugzilla/show_bug.cgi?id=223 Reference: BID:33299 Reference: URL:http://www.securityfocus.com/bid/33299 Reference: SECUNIA:33506 Reference: URL:http://secunia.com/advisories/33506 Stack-based buffer overflow in the process_path function in gmetad/server.c in Ganglia 3.1.1 allows remote attackers to cause a denial of service (crash) via a request to the gmetad service with a long pathname. ====================================================== Name: CVE-2009-0242 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0242 Reference: MLIST:[Ganglia-developers] 20090113 patches for: [Sec] Gmetad server BoF and network overload + [Feature] multiple requests per conn on interactive port Reference: URL:http://www.mail-archive.com/ganglia-developers () lists sourceforge net/msg04929.html Ganglia 3.1.1 allows remote attackers to cause a denial of service via a request to the gmetad service with a path does not exist, which causes Ganglia to (1) perform excessive CPU computation and (2) send the entire tree, which consumes network bandwidth.
Current thread:
- CVE request - ganglia Tomas Hoger (Jan 15)
- Re: CVE request - ganglia Steven M. Christey (Jan 20)
- Re: CVE request - ganglia Tomas Hoger (Jan 26)
- Re: CVE request - ganglia Steven M. Christey (Feb 03)
- Re: CVE request - ganglia Tomas Hoger (Jan 26)
- Re: CVE request - ganglia Steven M. Christey (Jan 20)