Описание
Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. Waitress 3.0.1 contains fixes that remove the race condition.
A flaw was found in the Waitress WSGI server for Python. When a remote client closes the connection before waitress has had the opportunity to call getpeername(), waitress will incorrectly clean up the connection, leading to the main thread attempting to write to a socket that no longer exists, and that socket is not removed from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could exhaust the available sockets with very little resources required.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 4 | python-waitress | Affected | ||
| Red Hat Ceph Storage 5 | python-waitress | Affected | ||
| Red Hat Openshift Container Storage 4 | python-waitress | Affected | ||
| Ironic content for Red Hat OpenShift Container Platform 4.12 | python-waitress | Fixed | RHSA-2024:10535 | 05.12.2024 |
| Ironic content for Red Hat OpenShift Container Platform 4.13 | python-waitress | Fixed | RHSA-2024:10815 | 12.12.2024 |
| Red Hat OpenShift Container Platform 4.14 | python-waitress | Fixed | RHSA-2024:9623 | 20.11.2024 |
| Red Hat OpenShift Container Platform 4.15 | python-waitress | Fixed | RHSA-2024:10145 | 26.11.2024 |
| Red Hat OpenShift Container Platform 4.16 | python-waitress | Fixed | RHSA-2024:9618 | 20.11.2024 |
| Red Hat OpenShift Container Platform 4.17 | python-waitress | Fixed | RHSA-2024:9613 | 19.11.2024 |
| Red Hat OpenStack Platform 16.2 | python-waitress | Fixed | RHSA-2025:0201 | 09.01.2025 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. Waitress 3.0.1 contains fixes that remove the race condition.
Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. Waitress 3.0.1 contains fixes that remove the race condition.
Waitress is a Web Server Gateway Interface server for Python 2 and 3. ...
7.5 High
CVSS3