ID

VAR-201903-0122


CVE

CVE-2019-3821


TITLE

civetWeb Resource management vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-003083

DESCRIPTION

A flaw was found in the way civetweb frontend was handling requests for ceph RGW server with SSL enabled. An unauthenticated attacker could create multiple connections to ceph RADOS gateway to exhaust file descriptors for ceph-radosgw service resulting in a remote denial of service. civetWeb Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. RedHat Ceph is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause denial-of-service conditions. ========================================================================== Ubuntu Security Notice USN-4035-1 June 25, 2019 ceph vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 19.04 - Ubuntu 18.10 - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Ceph. Software Description: - ceph: distributed storage and file system Details: It was discovered that Ceph incorrectly handled read only permissions. An authenticated attacker could use this issue to obtain dm-crypt encryption keys. This issue only affected Ubuntu 16.04 LTS. (CVE-2018-14662) It was discovered that Ceph incorrectly handled certain OMAPs holding bucket indices. This issue only affected Ubuntu 16.04 LTS. (CVE-2018-16846) It was discovered that Ceph incorrectly sanitized certain debug logs. A local attacker could possibly use this issue to obtain encryption key information. This issue was only addressed in Ubuntu 18.10 and Ubuntu 19.04. (CVE-2018-16889) It was discovered that Ceph incorrectly handled certain civetweb requests. This issue only affected Ubuntu 18.10 and Ubuntu 19.04. (CVE-2019-3821) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 19.04: ceph 13.2.4+dfsg1-0ubuntu2.1 ceph-common 13.2.4+dfsg1-0ubuntu2.1 Ubuntu 18.10: ceph 13.2.4+dfsg1-0ubuntu0.18.10.2 ceph-common 13.2.4+dfsg1-0ubuntu0.18.10.2 Ubuntu 16.04 LTS: ceph 10.2.11-0ubuntu0.16.04.2 ceph-common 10.2.11-0ubuntu0.16.04.2 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/4035-1 CVE-2018-14662, CVE-2018-16846, CVE-2018-16889, CVE-2019-3821 Package Information: https://launchpad.net/ubuntu/+source/ceph/13.2.4+dfsg1-0ubuntu2.1 https://launchpad.net/ubuntu/+source/ceph/13.2.4+dfsg1-0ubuntu0.18.10.2 https://launchpad.net/ubuntu/+source/ceph/10.2.11-0ubuntu0.16.04.2

Trust: 1.98

sources: NVD: CVE-2019-3821 // JVNDB: JVNDB-2019-003083 // BID: 107021 // PACKETSTORM: 153428

AFFECTED PRODUCTS

vendor:canonicalmodel:ubuntu linuxscope:eqversion:18.10

Trust: 1.0

vendor:cephmodel:civetwebscope:ltversion:1.11

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:19.04

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:16.04

Trust: 1.0

vendor:civetwebmodel:civetwebscope: - version: -

Trust: 0.8

vendor:redhatmodel:ceph storagescope:eqversion:0

Trust: 0.3

sources: BID: 107021 // JVNDB: JVNDB-2019-003083 // NVD: CVE-2019-3821

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-3821
value: HIGH

Trust: 1.0

secalert@redhat.com: CVE-2019-3821
value: HIGH

Trust: 1.0

NVD: CVE-2019-3821
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201902-623
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-3821
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

secalert@redhat.com: CVE-2019-3821
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-3821
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

sources: JVNDB: JVNDB-2019-003083 // CNNVD: CNNVD-201902-623 // NVD: CVE-2019-3821 // NVD: CVE-2019-3821

PROBLEMTYPE DATA

problemtype:CWE-772

Trust: 1.0

problemtype:CWE-399

Trust: 0.8

sources: JVNDB: JVNDB-2019-003083 // NVD: CVE-2019-3821

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201902-623

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201902-623

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003083

PATCH

title:Fix file descriptor leak. #33url:https://github.com/ceph/civetweb/pull/33

Trust: 0.8

title:ceph Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89410

Trust: 0.6

sources: JVNDB: JVNDB-2019-003083 // CNNVD: CNNVD-201902-623

EXTERNAL IDS

db:NVDid:CVE-2019-3821

Trust: 2.8

db:JVNDBid:JVNDB-2019-003083

Trust: 0.8

db:PACKETSTORMid:153428

Trust: 0.7

db:AUSCERTid:ESB-2019.2301

Trust: 0.6

db:AUSCERTid:ESB-2019.2927

Trust: 0.6

db:CNNVDid:CNNVD-201902-623

Trust: 0.6

db:BIDid:107021

Trust: 0.3

sources: BID: 107021 // JVNDB: JVNDB-2019-003083 // PACKETSTORM: 153428 // CNNVD: CNNVD-201902-623 // NVD: CVE-2019-3821

REFERENCES

url:https://usn.ubuntu.com/4035-1/

Trust: 2.2

url:https://github.com/ceph/civetweb/pull/33

Trust: 1.9

url:https://bugzilla.redhat.com/show_bug.cgi?id=cve-2019-3821

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2019-3821

Trust: 1.5

url:https://access.redhat.com/security/cve/cve-2019-3821

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3821

Trust: 0.8

url:https://www.suse.com/support/update/announcement/2019/suse-su-20192049-1.html

Trust: 0.6

url:https://packetstormsecurity.com/files/153428/ubuntu-security-notice-usn-4035-1.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.2927/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.2301/

Trust: 0.6

url:http://ceph.com/

Trust: 0.3

url:https://bugzilla.redhat.com/show_bug.cgi?id=1656852

Trust: 0.3

url:https://launchpad.net/ubuntu/+source/ceph/13.2.4+dfsg1-0ubuntu2.1

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-16846

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-16889

Trust: 0.1

url:https://usn.ubuntu.com/4035-1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/ceph/13.2.4+dfsg1-0ubuntu0.18.10.2

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/ceph/10.2.11-0ubuntu0.16.04.2

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-14662

Trust: 0.1

sources: BID: 107021 // JVNDB: JVNDB-2019-003083 // PACKETSTORM: 153428 // CNNVD: CNNVD-201902-623 // NVD: CVE-2019-3821

CREDITS

Ubuntu

Trust: 0.7

sources: PACKETSTORM: 153428 // CNNVD: CNNVD-201902-623

SOURCES

db:BIDid:107021
db:JVNDBid:JVNDB-2019-003083
db:PACKETSTORMid:153428
db:CNNVDid:CNNVD-201902-623
db:NVDid:CVE-2019-3821

LAST UPDATE DATE

2024-11-23T19:55:12.170000+00:00


SOURCES UPDATE DATE

db:BIDid:107021date:2019-02-11T00:00:00
db:JVNDBid:JVNDB-2019-003083date:2019-05-09T00:00:00
db:CNNVDid:CNNVD-201902-623date:2020-10-22T00:00:00
db:NVDid:CVE-2019-3821date:2024-11-21T04:42:36.780

SOURCES RELEASE DATE

db:BIDid:107021date:2019-02-11T00:00:00
db:JVNDBid:JVNDB-2019-003083date:2019-05-09T00:00:00
db:PACKETSTORMid:153428date:2019-06-25T23:50:09
db:CNNVDid:CNNVD-201902-623date:2019-02-11T00:00:00
db:NVDid:CVE-2019-3821date:2019-03-27T13:29:01.507