Vulnerability CVE-2013-0281

Vulnerability Name:

CVE-2013-0281 (CCN-82094)

Assigned:

2012-12-06

Published:

2013-02-14

Updated:

2019-04-22

Summary:

Pacemaker 1.1.10, when remote Cluster Information Base (CIB) configuration or resource management is enabled, does not limit the duration of connections to the blocking sockets, which allows remote attackers to cause a denial of service (connection blocking).

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

2.6 Low (REDHAT CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P)
1.9 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-399

Vulnerability Consequences:

Denial of Service

References:

Source: CCN
Type: Cluster Labs Web site
Pacemaker

Source: MITRE
Type: CNA
CVE-2013-0281

Source: CCN
Type: RHSA-2013-1635
Low: pacemaker security, bug fix, and enhancement update

Source: REDHAT
Type: Vendor Advisory
RHSA-2013:1635

Source: CCN
Type: SA52171
Pacemaker Authentication Request Processing Denial of Service Vulnerability

Source: CCN
Type: BID-57965
Pacemaker CVE-2013-0281 Remote Denial of Service Vulnerability

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=891922

Source: CCN
Type: Red Hat Bugzilla Bug 891922
CVE-2013-0281 pacemaker: Denial of service when remote CIB management enabled due to use of no-timeout blocking socket to wait for the arrival of the authentication credentials

Source: XF
Type: UNKNOWN
pacemaker-connection-dos(82094)

Source: CCN
Type: Pacemaker GIT Repository
High: core: Internal tls api improvements for reuse with future LRMD

Source: CONFIRM
Type: Exploit, Patch
https://github.com/ClusterLabs/pacemaker/commit/564f7cc2a51dcd2f28ab12a13394f31be5aa3c93

Vulnerable Configuration:

Configuration 1:

cpe:/o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:clusterlabs:pacemaker:1.1.10:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:26830	P	ELSA-2013-1635 -- pacemaker security, bug fix, and enhancement update (low)	2014-12-15
oval:org.mitre.oval:def:26652	P	RHSA-2013:1635 -- pacemaker security, bug fix, and enhancement update (Low)	2014-12-08
oval:com.ubuntu.precise:def:20130281000	V	CVE-2013-0281 on Ubuntu 12.04 LTS (precise) - low.	2013-11-23
oval:com.ubuntu.trusty:def:20130281000	V	CVE-2013-0281 on Ubuntu 14.04 LTS (trusty) - low.	2013-11-23
oval:com.ubuntu.xenial:def:201302810000000	V	CVE-2013-0281 on Ubuntu 16.04 LTS (xenial) - low.	2013-11-23
oval:com.ubuntu.xenial:def:20130281000	V	CVE-2013-0281 on Ubuntu 16.04 LTS (xenial) - low.	2013-11-23
oval:com.redhat.rhsa:def:20131635	P	RHSA-2013:1635: pacemaker security, bug fix, and enhancement update (Low)	2013-11-21

BACK