CVE-2021-3531

Published: 18 May 2021

A flaw was found in the Red Hat Ceph Storage RGW in versions before 14.2.21. When processing a GET Request for a swift URL that ends with two slashes it can cause the rgw to crash, resulting in a denial of service. The greatest threat to the system is of availability.

From the Ubuntu security team

It was discovered that Ceph's RadosGW (Ceph Object Gateway) did not properly handle GET requests for swift URLs in some situations, leading to an application crash. An attacker could use this to cause a denial of service.

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
ceph
Launchpad, Ubuntu, Debian
Upstream
Released (15.2.12)
Ubuntu 21.10 (Impish Indri)
Released (16.2.4-0ubuntu1)
Ubuntu 21.04 (Hirsute Hippo) Needed

Ubuntu 20.04 LTS (Focal Fossa)
Released (15.2.12-0ubuntu0.20.04.1)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Needs triage

Patches:
Upstream: https://github.com/ceph/ceph/commit/f44a8ae8aa27ecef69528db9aec220f12492810e (nautilus)
Upstream: https://github.com/ceph/ceph/commit/b87e64e3206210580f4a6df2d77f9ae3f1033039 (octopus)
Upstream: https://github.com/ceph/ceph/commit/bf06990ab41d7ac299e4441ad9cd434e926a18e7 (pacific)