Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO
CVE-2022-31028

7.5HIGH

Key Information:

Vendor

Minio

Status
Minio
Vendor
CVE Published:
7 June 2022

What is CVE-2022-31028?

MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

minio >= RELEASE.2019-09-25T18-25-51Z, < RELEASE.2022-06-02T02-11-04Z

References

https://github.com/minio/minio/security/advisories/GHSA-q...
x_refsource_CONFIRM
https://github.com/minio/minio/pull/14995
x_refsource_MISC
https://gist.github.com/harshavardhana/2d00e6f909054d2d25...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.