CVE-2020-12059: Null Pointer Dereference
First published: Tue Apr 07 2020(Updated: )
A flaw was found in the Ceph Object Gateway S3 API, where it did not properly validate the POST requests. This flaw allows an attacker to perform a denial of service attack using a malicious POST request with specially crafted XML payload, leading to a crash of the RGW process.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ceph | <2:12.2.12-139.el7c | 2:12.2.12-139.el7c |
| redhat/ceph-ansible | <0:3.2.56-1.el7c | 0:3.2.56-1.el7c |
| redhat/cephmetrics | <0:2.0.10-1.el7c | 0:2.0.10-1.el7c |
| redhat/grafana | <0:5.2.4-3.el7c | 0:5.2.4-3.el7c |
| redhat/tcmu-runner | <0:1.4.0-3.el7c | 0:1.4.0-3.el7c |
| Linuxfoundation Ceph | <=13.2.9 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| redhat/ceph | <13.2.10 | 13.2.10 |
| debian/ceph | 14.2.21-1 16.2.11+ds-2 18.2.4+ds-7 |
Remedy
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-12059 https://nvd.nist.gov/vuln/detail/CVE-2020-12059 https://ceph.io/releases/v13-2-10-mimic-released/
- https://bugzilla.redhat.com/show_bug.cgi?id=1827262
- https://access.redhat.com/errata/RHSA-2021:1518
- https://access.redhat.com/security/cve/cve-2020-12059
- https://bugzilla.suse.com/show_bug.cgi?id=1170170
- https://docs.ceph.com/docs/master/releases/mimic/
- https://tracker.ceph.com/issues/44967
- https://usn.ubuntu.com/4528-1/
- https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
- https://launchpad.net/bugs/cve/CVE-2020-12059
- https://ceph.io/releases/v13-2-10-mimic-released/
- https://github.com/ceph/ceph/commit/375d926a4f2720a29b079c216bafb884eef985c3
- https://github.com/ceph/ceph/commit/5fb068114bb3da2f8fabea89160a8453f861dc96
- https://security-tracker.debian.org/tracker/CVE-2020-12059
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12059
- https://nvd.nist.gov/vuln/detail/CVE-2020-12059
- https://ubuntu.com/security/CVE-2020-12059
Frequently Asked Questions
What is CVE-2020-12059?
CVE-2020-12059 is a vulnerability in Ceph Object Gateway S3 API that allows an attacker to perform a denial of service attack using a malicious POST request.
What is the severity of CVE-2020-12059?
CVE-2020-12059 has a severity rating of 7.5 (High).
How does CVE-2020-12059 impact Ceph?
CVE-2020-12059 can crash the RGW process of Ceph through a specially crafted XML payload in a POST request.
How can I fix CVE-2020-12059?
To fix CVE-2020-12059, update Ceph to version 13.2.10 or higher.
Are there any references related to CVE-2020-12059?
Yes, here are some references related to CVE-2020-12059: [Reference 1](https://tracker.ceph.com/issues/44967), [Reference 2](https://ceph.io/releases/v13-2-10-mimic-released/), [Reference 3](https://github.com/ceph/ceph/commit/375d926a4f2720a29b079c216bafb884eef985c3).
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-api
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-12059
- agent/weakness
- agent/severity
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- agent/tags
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- package-manager/redhat
- vendor/linuxfoundation
- canonical/linuxfoundation ceph
- version/linuxfoundation ceph/13.2.9
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- package-manager/debian