Bug 1125080 - (CVE-2019-3821) VUL-0: CVE-2019-3821: ceph: ceph: radosgw: Resource exhaustion via TCP connection to port serving the SSL endpoint
(CVE-2019-3821)
VUL-0: CVE-2019-3821: ceph: ceph: radosgw: Resource exhaustion via TCP connec...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Nathan Cutler
Security Team bot
https://smash.suse.de/issue/224555/
CVSSv3:RedHat:CVE-2019-3821:7.5:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-12 06:46 UTC by Marcus Meissner
Modified: 2021-07-19 10:44 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-02-12 06:46:19 UTC
rh#1656852

A flaw was found in rados gateway shipped as part of ceph. Unclosed file descriptors while denying TCP connections to SSL serving port pile up until exhaustion of resources leading to potencial remote denial of service.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1656852
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3821
Comment 1 Marcus Meissner 2019-02-12 08:53:00 UTC
https://github.com/ceph/civetweb/pull/33
Comment 3 Nathan Cutler 2019-03-11 12:54:40 UTC
https://github.com/ceph/ceph/pull/26515

Has been in SES6 since (at least) Milestone 11.
Comment 4 Nathan Cutler 2019-05-22 08:45:06 UTC
According to Comment 2, this bug *only* affects SES6.

The fix has been in SES6 since February 2019. I have just added the bsc# and CVE citations to the changes file.
Comment 7 Swamp Workflow Management 2019-08-05 19:14:28 UTC
SUSE-SU-2019:2049-1: An update that solves two vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1121567,1123360,1124957,1125080,1125899,1131984,1132396,1133139,1133461,1135030,1135219,1135221,1135388,1136110
CVE References: CVE-2018-16889,CVE-2019-3821
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ceph-14.2.1.468+g994fd9e0cc-3.3.2, ceph-test-14.2.1.468+g994fd9e0cc-3.3.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ceph-14.2.1.468+g994fd9e0cc-3.3.2
SUSE Enterprise Storage 6 (src):    ceph-14.2.1.468+g994fd9e0cc-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.