oss-sec mailing list archives
CVE-2020-1700 ceph: connection leak in the RGW Beast front-end permits a DoS against the RGW server
From: Hardik Vyas <hvyas () redhat com>
Date: Sat, 1 Feb 2020 01:17:26 +0530
Hello, A flaw was found in the way the Ceph RGW Beast front-end handles unexpected disconnects. An authenticated attacker can abuse this flaw by making multiple disconnect attempts resulting in a permanent leak of a socket connection by radosgw. This flaw could lead to a denial of service condition by pile up of CLOSE_WAIT sockets, eventually leading to the exhaustion of available resources, preventing legitimate users from connecting to the system. This flaw affects Nautilus based versions. If Beast front end is in use, switch to CivetWeb to mitigate the issue. Red Hat has assigned CVE-2020-1700 and rated as Moderate impact flaw. PR: https://github.com/ceph/ceph/pull/33017 Patch: https://github.com/ceph/ceph/commit/ff72c50a2c43c57aead933eb4903ad1ca6d1748a Credit: Or Friedmann(Red Hat) Regards, -- Hardik Vyas / Red Hat Product Security BD48 C633 DE34 733A BBC3 3B72 8A14 AEBB D68B 9381
Current thread:
- CVE-2020-1700 ceph: connection leak in the RGW Beast front-end permits a DoS against the RGW server Hardik Vyas (Jan 31)