First published: Thu Dec 06 2018(Updated: )
A flaw was found in rados gateway shipped as part of ceph. Unclosed file descriptors while denying TCP connections to SSL serving port pile up until exhaustion of resources leading to potencial remote denial of service.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Ceph Civetweb | ||
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.10 | |
Canonical Ubuntu Linux | =19.04 | |
Ceph Civetweb | <1.11 | |
debian/ceph | 14.2.21-1 16.2.11+ds-2 16.2.15+ds-0+deb12u1 18.2.4+ds-11 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-3821 is a vulnerability found in the way civetweb frontend handles requests for ceph RGW server with SSL enabled, allowing an unauthenticated attacker to create multiple connections and exhaust file descriptors, leading to a remote denial of service.
The software affected by CVE-2019-3821 includes Ceph Civetweb, Canonical Ubuntu Linux 16.04 LTS, Canonical Ubuntu Linux 18.10, and Canonical Ubuntu Linux 19.04.
CVE-2019-3821 has a severity rating of 7.5 (High).
To fix CVE-2019-3821 on Ubuntu, you can update the ceph package to version 13.2.4+dfsg1-0ubuntu0.18.10.2 for Ubuntu 18.10 (Cosmic) or version 13.2.4+dfsg1-0ubuntu2.1 for Ubuntu 19.04 (Disco).
Yes, you can find references for CVE-2019-3821 at the following links: [Bugzilla Red Hat](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3821), [GitHub](https://github.com/ceph/civetweb/pull/33), [Ubuntu Security Notice](https://usn.ubuntu.com/4035-1/).