Bug 1145093 - (CVE-2019-10222) VUL-0: CVE-2019-10222: ceph: unauthenticated clients can crash RGW
(CVE-2019-10222)
VUL-0: CVE-2019-10222: ceph: unauthenticated clients can crash RGW
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Nathan Cutler
Security Team bot
https://smash.suse.de/issue/239342/
CVSSv3:SUSE:CVE-2019-10222:7.5:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-09 14:10 UTC by Alexandros Toptsoglou
Modified: 2021-07-19 10:50 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Alexandros Toptsoglou 2019-08-09 14:16:10 UTC
Original reporter is Abhishek who is also in CC
Comment 5 Alexandros Toptsoglou 2019-08-09 14:18:32 UTC
Created attachment 813523 [details]
FIX
Comment 7 Abhishek Lekshmanan 2019-08-15 09:36:01 UTC
https://build.suse.de/request/show/198947 was submitted by Nathan
Comment 11 Alexandros Toptsoglou 2019-08-28 15:30:24 UTC
CVE-2019-10222: ceph: unauthenticated clients can crash RGW

Affected versions:
Nautilus (version 14.2.X) 
Mimic (version 13.2.X)
Luminous (version 12.2.X) only if an experimental feature is enabled in ceph.conf: 
  enable_experimental_unrecoverable_data_corrupting_features=true
  enable experimental unrecoverable data corrupting features = rgw-beast-frontend


Description:
An improper exception condition handling in Ceph allows to any single unauthenticated 
client to crash RGW component of Ceph by sending a special crafted HTTP request which lead 
to denial of service.
The vulnerability affects the RGW component of Ceph, specifically the  ceph-radosgw.

Mitigation:
Apply the fix of pull request in https://github.com/ceph/ceph/pull/29967

Timeline:
- 2019-08-07: Issue discovered.
- 2019-08-08: Issue reported to security@ceph.io
- 2019-08-16: Coordinated release date set on 28th 
- 2019-08-28: Disclosure

Reference:
https://bugzilla.suse.com/show_bug.cgi?id=1145093

Credit:
This vulnerability was discovered by Abhishek Lekshmanan of SUSE Software Solutions Germany GmbH
Comment 12 Alexandros Toptsoglou 2019-08-28 15:30:49 UTC
What is affected? 

Nautilus (version 14.2.X) and Mimic (version 13.2.X) are definitely affected 
Luminous (version 12.2.X) is affected only if an experimental feature is enabled that is "enable_experimental_unrecoverable_data_corrupting_features = beast"
Anything older than Luminous is not affected at all.

In our case: 

The vulnerability affects the RGW server and specifically the  ceph-radosgw which is only shipped in storage products. 
Based on this SLE15-SP1 is marked as affected and has already received the patch and waits for the embargo to be lifted
Comment 13 Swamp Workflow Management 2019-08-28 19:15:10 UTC
SUSE-SU-2019:2247-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1145093
CVE References: CVE-2019-10222
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ceph-14.2.2.349+g6716a1e448-3.9.1, ceph-test-14.2.2.349+g6716a1e448-3.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ceph-14.2.2.349+g6716a1e448-3.9.1
SUSE Enterprise Storage 6 (src):    ceph-14.2.2.349+g6716a1e448-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Alexandros Toptsoglou 2019-08-29 07:25:37 UTC
Released
Comment 15 Swamp Workflow Management 2019-08-29 15:00:17 UTC
This is an autogenerated message for OBS integration:
This bug (1145093) was mentioned in
https://build.opensuse.org/request/show/727039 Factory / ceph
Comment 20 Swamp Workflow Management 2019-10-22 13:13:12 UTC
SUSE-SU-2019:2736-1: An update that solves one vulnerability and has 21 fixes is now available.

Category: security (moderate)
Bug References: 1132767,1134444,1135584,1137503,1140491,1141174,1145093,1145617,1145618,1145759,1146656,1147132,1149093,1150406,1151439,1151990,1151991,1151992,1151993,1151994,1151995,1152002
CVE References: CVE-2019-10222
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ceph-14.2.4.373+gc3e67ed133-3.19.1, ceph-test-14.2.4.373+gc3e67ed133-3.19.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ceph-14.2.4.373+gc3e67ed133-3.19.1
SUSE Enterprise Storage 6 (src):    ceph-14.2.4.373+gc3e67ed133-3.19.1, ceph-iscsi-3.3+1570532654.g93940a4-3.5.1, ses-manual_en-6+git145.1558531-3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2019-11-18 17:13:09 UTC
SUSE-SU-2019:2994-1: An update that solves one vulnerability and has 22 fixes is now available.

Category: security (important)
Bug References: 1132767,1134444,1135584,1137503,1140491,1141174,1145093,1145617,1145618,1145759,1146656,1147132,1149093,1150406,1151439,1151990,1151991,1151992,1151993,1151994,1151995,1152002,1156282
CVE References: CVE-2019-10222
Sources used:
SUSE Enterprise Storage 6 (src):    ceph-iscsi-3.3+1570532654.g93940a4-3.7.1, ses-manual_en-6+git145.1558531-3.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.