PT-2019-1633 · Openwsman+5 · Openwsman+5

Adam Mariš

Published

2019-03-12

Updated

2023-02-12

CVE-2019-3833

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Openwsman versions up to and including 2.6.9

Description The issue is related to an infinite loop in the process connection() function when parsing specially crafted HTTP requests, such as /api/v1/login. A remote, unauthenticated attacker can exploit this by sending a malicious HTTP request to cause a denial of service to the openwsman server. The vulnerability is also associated with resource management errors.

Recommendations For Openwsman versions up to and including 2.6.9, consider disabling the process connection() function as a temporary workaround until a patch is available. Restrict access to the openwsman server to minimize the risk of exploitation. Avoid using the openwsman server until the issue is resolved.

Fix

DoS

Infinite Loop

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-399CWE-835

Related Identifiers

ALSA-2020:4689

AZL-36970

AZL-37152

BDU:2019-01181

CESA-2020_3940

CESA-2020_4689

CVE-2019-3833

OPENSUSE-SU-2019:1111-1

OPENSUSE-SU-2019_1111-1

OPENSUSE-SU-2019_1217-1

RHSA-2020:3940

RHSA-2020:4689

RHSA-2020_3940

RHSA-2020_4689

RLSA-2020:4689

SUSE-SU-2019:0654-1

SUSE-SU-2019:0656-1

SUSE-SU-2019:13981-1

Affected Products

Almalinux

Centos

Openwsman

Red Hat

Rocky Linux

Suse

PT-2019-1633 · Openwsman+5 · Openwsman+5

CVE-2019-3833

Weakness Enumeration

Related Identifiers

Affected Products

References · 38