CVE-2012-3421
First published: Thu Jul 19 2012(Updated: )
Florian Weimer of the Red Hat Product Security Team discovered a denial of service flaw in pmcd (the PCP (Performance Co-Pilot) performance metrics collector daemon) due to incorrect event-driven programming. Because the pduread() function in libpcp performs a select locally, waiting for more client data, an unauthenticated remote attacker could send individual bytes one by one, avoiding the timeout, and blocking pmcd in order to prevent it from responding to other legitimate requests.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/pcp | <3.6.5 | 3.6.5 |
| Performance Co-Pilot | <=3.6.4 | |
| Performance Co-Pilot | =2.1.1 | |
| Performance Co-Pilot | =2.1.2 | |
| Performance Co-Pilot | =2.1.3 | |
| Performance Co-Pilot | =2.1.4 | |
| Performance Co-Pilot | =2.1.5 | |
| Performance Co-Pilot | =2.1.6 | |
| Performance Co-Pilot | =2.1.7 | |
| Performance Co-Pilot | =2.1.8 | |
| Performance Co-Pilot | =2.1.9 | |
| Performance Co-Pilot | =2.1.10 | |
| Performance Co-Pilot | =2.1.11 | |
| Performance Co-Pilot | =2.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=602308&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=602308&action=edit
- http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=9ba85dca940de976176ce196fd5e3c4170936354
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=848629
- https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc16
- https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc17
- https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc18
- https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el5
- https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el6
- https://bugzilla.redhat.com/show_bug.cgi?id=841706
- http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085324.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085333.html
- http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00024.html
- http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=blob;f=CHANGELOG;h=16c9cbb2f61d909487ea1c3171f4ab33e5648ac5;hb=fe51067ae869a4d59f350ac319b09edcb77ac8e6
- http://www.debian.org/security/2012/dsa-2533
- http://www.openwall.com/lists/oss-security/2012/08/16/1
- https://hermes.opensuse.org/messages/15471040
- https://hermes.opensuse.org/messages/15540133
- https://hermes.opensuse.org/messages/15540172
Frequently Asked Questions
What is the severity of CVE-2012-3421?
CVE-2012-3421 is considered a denial of service vulnerability.
How do I fix CVE-2012-3421?
To fix CVE-2012-3421, upgrade to Performance Co-Pilot version 3.6.5 or later.
Which versions of Performance Co-Pilot are affected by CVE-2012-3421?
CVE-2012-3421 affects Performance Co-Pilot versions up to 3.6.4 and all versions from 2.1.1 to 2.2.
What kind of attack does CVE-2012-3421 allow?
CVE-2012-3421 allows remote attackers to cause a denial of service by sending individual bytes of a PDU separately.
What component is vulnerable in CVE-2012-3421?
The vulnerable component in CVE-2012-3421 is the pduread function in the libpcp library.
- collector/redhat-bugzilla
- alias/CVE-2012-3421
- agent/author
- agent/severity
- agent/references
- agent/type
- agent/event
- agent/description
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/sgi
- canonical/performance co-pilot
- version/performance co-pilot/3.6.4
- version/performance co-pilot/2.1.1
- version/performance co-pilot/2.1.2
- version/performance co-pilot/2.1.3
- version/performance co-pilot/2.1.4
- version/performance co-pilot/2.1.5
- version/performance co-pilot/2.1.6
- version/performance co-pilot/2.1.7
- version/performance co-pilot/2.1.8
- version/performance co-pilot/2.1.9
- version/performance co-pilot/2.1.10
- version/performance co-pilot/2.1.11
- version/performance co-pilot/2.2