Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 850547 (CVE-2021-43858, CVE-2022-31028, CVE-2022-35919) - net-fs/minio: mishandling of unclosed client connections leads to DoS
Summary: net-fs/minio: mishandling of unclosed client connections leads to DoS
Status: CONFIRMED
Alias: CVE-2021-43858, CVE-2022-31028, CVE-2022-35919
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/minio/minio/securi...
Whiteboard: ~3 [ebuild]
Keywords:
: 830137 (view as bug list)
Depends on:
Blocks:
 
Reported: 2022-06-07 22:51 UTC by John Helmert III
Modified: 2022-08-04 03:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-07 22:51:15 UTC
CVE-2022-31028:

MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients.

There seems to be exploit code available: https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1

Needs bump to RELEASE.2022-06-02T02-11-04Z.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 03:03:24 UTC
*** Bug 830137 has been marked as a duplicate of this bug. ***
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 03:04:25 UTC
CVE-2021-43858 (https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf):

MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.

CVE-2022-35919 (https://github.com/minio/minio/security/advisories/GHSA-gr9v-6pcm-rqvg):

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies.