Уязвимость CVE-2021-21390: Информация
Описание
MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using "aws-chunked" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS.
Важность: MEDIUM (5,9) Вектор: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Исправленные пакеты
Имя пакета | Ветка | Исправлено в версии | Версия в репозитории | Errata ID | № Задания | Состояние |
|---|---|---|---|---|---|---|
| minio | sisyphus | 2021.03.26-alt1 | 2024.05.10-alt1 | ALT-PU-2021-1565-1 | 268499 | Исправлено |
| minio | p10 | 2021.03.26-alt1 | 2024.02.26-alt1 | ALT-PU-2021-1565-1 | 268499 | Исправлено |
| minio | c10f1 | 2021.03.26-alt1 | 2023.05.18-alt1 | ALT-PU-2021-1565-1 | 268499 | Исправлено |
| minio | c9f2 | 2021.11.09-alt1 | 2021.11.09-alt1 | ALT-PU-2022-1258-1 | 293762 | Исправлено |
| minio | p11 | 2021.03.26-alt1 | 2024.05.10-alt1 | ALT-PU-2021-1565-1 | 268499 | Исправлено |
Ссылки на рекомендации, решения и инструменты
Ссылка | Ресурс |
|---|---|
| https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0 |
|
| https://github.com/minio/minio/pull/11801 |
|
| https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp |
|