oss-sec mailing list archives
[FYI / CVE assignment notification] CVE-2013-0281 pacemaker: Denial of service when remote CIB management enabled due to use of no-timeout blocking socket to wait for the arrival of the authentication credentials
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 14 Feb 2013 11:47:47 -0500 (EST)
Hello vendors, * A denial of service flaw was found in the way Pacemaker, an advanced, scalable high-availability cluster resource manager for Linux-HA (Heartbeat) and/or Corosync, performed authentication and processing of remote connections in certain circumstances. In general Pacemaker used a blocking socket (without a timeout) to wait for authentication credentials to arrive. When Pacemaker was configured to allow remote Cluster Information Base (CIB) cluster's configuration / cluster's resources management, a remote attacker could use this flaw to cause Pacemaker to block indefinitely (preventing it from serving another requests). * The CVE identifier of CVE-2013-0281 has been assigned to this issue. * This issue was found by David Vossel of Red Hat. * Relevant upstream patch: [1] https://github.com/ClusterLabs/pacemaker/commit/564f7cc2a51dcd2f28ab12a13394f31be5aa3c93 * References: [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0281 Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- [FYI / CVE assignment notification] CVE-2013-0281 pacemaker: Denial of service when remote CIB management enabled due to use of no-timeout blocking socket to wait for the arrival of the authentication credentials Jan Lieskovsky (Feb 14)