CVE-2019-10222

NameCVE-2019-10222
DescriptionA flaw was found in the Ceph RGW configuration with Beast as the front end handling client requests. An unauthenticated attacker could crash the Ceph RGW server by sending valid HTTP headers and terminating the connection, resulting in a remote denial of service for Ceph RGW clients.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs936015

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ceph (PTS)stretch (security), stretch10.2.11-2fixed
buster12.2.11+dfsg1-2.1vulnerable
bullseye, sid14.2.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cephsourcejessie(not affected)
cephsourcestretch(not affected)
cephsource(unstable)14.2.4-1936015

Notes

[buster] - ceph <no-dsa> (Minor issue; only triggerable if experimental feature enabled)
[stretch] - ceph <not-affected> (Vulnerable code not present)
[jessie] - ceph <not-affected> (Vulnerable code not present)
https://www.openwall.com/lists/oss-security/2019/08/28/9
https://github.com/ceph/ceph/pull/29967
https://github.com/ceph/ceph/commit/6171399fdedd928b4249d135b4036e3de25079aa
12.2.x installations only affected by the vulnerability if experimental
features are enabled.

Search for package or bug name: Reporting problems