Impact
An unauthenticated stack overflow crash, leading to a denial of service (DoS), was identified in Rancher’s /v3-public/authproviders public API endpoint. A malicious user could submit data to the API which would cause the Rancher server to crash, but no malicious or incorrect data would actually be written in the API. The downstream clusters, i.e., the clusters managed by Rancher, are not affected by this issue.
This vulnerability affects those using external authentication providers as well as Rancher’s local authentication.
Patches
The patch includes the removal of unnecessary HTTP methods of the specific API.
Patched versions include releases v2.8.13, v2.9.7 and v2.10.3.
Workarounds
There are no workarounds for this issue. Users are recommended to upgrade, as soon as possible, to a version of Rancher Manager that contains the fix.
References
If you have any questions or comments about this advisory:
References
Impact
An unauthenticated stack overflow crash, leading to a denial of service (DoS), was identified in Rancher’s
/v3-public/authproviderspublic API endpoint. A malicious user could submit data to the API which would cause the Rancher server to crash, but no malicious or incorrect data would actually be written in the API. The downstream clusters, i.e., the clusters managed by Rancher, are not affected by this issue.This vulnerability affects those using external authentication providers as well as Rancher’s local authentication.
Patches
The patch includes the removal of unnecessary HTTP methods of the specific API.
Patched versions include releases
v2.8.13,v2.9.7andv2.10.3.Workarounds
There are no workarounds for this issue. Users are recommended to upgrade, as soon as possible, to a version of Rancher Manager that contains the fix.
References
If you have any questions or comments about this advisory:
References