Vulnerability Name:

CVE-2021-3531 (CCN-202004)

Assigned:2021-05-14
Published:2021-05-14
Updated:2022-10-27
Summary:A flaw was found in the Red Hat Ceph Storage RGW in versions before 14.2.21. When processing a GET Request for a swift URL that ends with two slashes it can cause the rgw to crash, resulting in a denial of service. The greatest threat to the system is of availability.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-617
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2021-3531

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[oss-security] 20210514 CVE-2021-3531: Ceph: RGW unauthenticated denial of service

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[oss-security] 20210517 Re: CVE-2021-3531: Ceph: RGW unauthenticated denial of service

Source: MISC
Type: Issue Tracking, Patch, Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1955326

Source: XF
Type: UNKNOWN
ceph-cve20213531-dos(202004)

Source: CCN
Type: Ceph GIT Repository
rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-6e540b85b9

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-ec414c5e18

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-1bf13db941

Source: CCN
Type: oss-sec Mailing List, Fri, 14 May 2021 15:16:37 -0400
CVE-2021-3531: Ceph: RGW unauthenticated denial of service

Vulnerable Configuration:Configuration 1:
  • cpe:/a:redhat:ceph_storage:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:ceph:*:*:*:*:*:*:*:* (Version < 14.2.21)

  • Configuration 2:
  • cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:ceph:ceph:-:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7460
    P
    ceph-common-16.2.11.58+g38d6afd3b78-150400.3.6.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:711
    P
    Security update for python-lxml (Important)
    2022-08-26
    oval:org.opensuse.security:def:95260
    P
    Security update for pcre2 (Important)
    2022-07-12
    oval:org.opensuse.security:def:95261
    P
    Security update for pcre (Important)
    2022-07-12
    oval:org.opensuse.security:def:3425
    P
    alsa-1.0.27.2-15.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3612
    P
    libjavascriptcoregtk-3_0-0-2.4.11-23.20 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94537
    P
    dhcp-4.3.6.P1-6.11.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:2886
    P
    ceph-common-16.2.7.654+gd5a90ff46f0-150400.1.4 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94516
    P
    ceph-common-16.2.7.654+gd5a90ff46f0-150400.1.4 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:6032
    P
    Security update for clamav (Important)
    2022-05-12
    oval:org.opensuse.security:def:101974
    P
    Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP3) (Important)
    2022-04-25
    oval:org.opensuse.security:def:101973
    P
    Security update for the Linux Kernel (Live Patch 7 for SLE 15 SP3) (Important)
    2022-04-24
    oval:org.opensuse.security:def:99462
    P
    (Important)
    2022-03-29
    oval:org.opensuse.security:def:6031
    P
    Security update for zsh (Important)
    2022-01-24
    oval:org.opensuse.security:def:112052
    P
    ceph-16.2.6.45+g8fda9838398-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:105604
    P
    ceph-16.2.6.45+g8fda9838398-1.1 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:97017
    P
    libsaml-devel-2.6.1-1.31 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:97018
    P
    libshibsp-lite7-2.6.1-1.48 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:101250
    P
    blktrace-1.1.0+git.20170126-3.3.28 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:99661
    P
    (Moderate)
    2021-07-20
    oval:org.opensuse.security:def:111560
    P
    Security update for ceph (Important)
    2021-07-10
    oval:org.opensuse.security:def:99969
    P
    (Important)
    2021-06-28
    oval:org.opensuse.security:def:111418
    P
    Security update for ceph (Important)
    2021-06-03
    oval:org.opensuse.security:def:73823
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:98876
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:108639
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:92711
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:69653
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:76189
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:9712
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:5712
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:92121
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:66802
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:117431
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:75869
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:8765
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:99071
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:108640
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:92910
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:69852
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:64514
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:10263
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:5713
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:92313
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:67120
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:75870
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:103017
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:8960
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:99263
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:93063
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:70403
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:64701
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:42080
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:73636
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:107916
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:92512
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:67121
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:76188
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:101442
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:9513
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:93216
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:91926
    P
    Security update for ceph (Important)
    2021-06-02
    oval:org.opensuse.security:def:66801
    P
    Security update for ceph (Important)
    2021-06-02
    BACK
    redhat ceph storage 4.0
    redhat ceph *
    fedoraproject fedora 32
    fedoraproject fedora 33
    fedoraproject fedora 34
    ceph ceph -