CVE-2021-3531
Published: 18 May 2021
A flaw was found in the Red Hat Ceph Storage RGW in versions before 14.2.21. When processing a GET Request for a swift URL that ends with two slashes it can cause the rgw to crash, resulting in a denial of service. The greatest threat to the system is of availability.
From the Ubuntu Security Team
It was discovered that Ceph's RadosGW (Ceph Object Gateway) did not properly handle GET requests for swift URLs in some situations, leading to an application crash. An attacker could use this to cause a denial of service.
Notes
| Author | Note |
|---|---|
| mdeslaur | this is fixed in 16.2.4 in hirsute-updates but has not been pushed to the security pocket |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
ceph Launchpad, Ubuntu, Debian |
bionic |
Released
(12.2.13-0ubuntu0.18.04.10)
|
| focal |
Released
(15.2.12-0ubuntu0.20.04.1)
|
|
| groovy |
Released
(15.2.12-0ubuntu0.20.10.1)
|
|
| hirsute |
Released
(16.2.6-0ubuntu0.21.04.2)
|
|
| impish |
Released
(16.2.4-0ubuntu1)
|
|
| jammy |
Released
(16.2.4-0ubuntu1)
|
|
| kinetic |
Released
(16.2.4-0ubuntu1)
|
|
| lunar |
Released
(16.2.4-0ubuntu1)
|
|
| mantic |
Released
(16.2.4-0ubuntu1)
|
|
| trusty |
Needed
|
|
| upstream |
Released
(15.2.12)
|
|
| xenial |
Needed
|
|
|
Patches: upstream: https://github.com/ceph/ceph/commit/f44a8ae8aa27ecef69528db9aec220f12492810e upstream: https://github.com/ceph/ceph/commit/b87e64e3206210580f4a6df2d77f9ae3f1033039 upstream: https://github.com/ceph/ceph/commit/bf06990ab41d7ac299e4441ad9cd434e926a18e7 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |