CVE-2012-4406 — CRITICAL (9.8)

Q: How severe is CVE-2012-4406?

CVE-2012-4406 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2012-4406?

Check the references section above for vendor advisories and patch information. Affected products include: Openstack Swift, Fedoraproject Fedora, Redhat Gluster Storage Management Console, Redhat Gluster Storage Server For On-Premise, Redhat Storage.

Vulnerability Description

OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Openstack	Swift	< 1.7.0
Fedoraproject	Fedora	16
Redhat	Gluster Storage Management Console	2.0
Redhat	Gluster Storage Server For On-Premise	2.0
Redhat	Storage	2.0
Redhat	Storage For Public Cloud	2.0
Redhat	Enterprise Linux Server	5.0

Related Weaknesses (CWE)

CWE-502

References

http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089472.htMailing List
http://rhn.redhat.com/errata/RHSA-2012-1379.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0691.htmlNot Applicable
http://www.openwall.com/lists/oss-security/2012/09/05/16Mailing List
http://www.openwall.com/lists/oss-security/2012/09/05/4Mailing List
http://www.securityfocus.com/bid/55420Broken Link
https://bugs.launchpad.net/swift/+bug/1006414Issue TrackingPatch
https://bugzilla.redhat.com/show_bug.cgi?id=854757Issue TrackingPatch
https://exchange.xforce.ibmcloud.com/vulnerabilities/79140Third Party AdvisoryVDB Entry
https://github.com/openstack/swift/commit/e1ff51c04554d51616d2845f92ab726cb0e583Patch
https://launchpad.net/swift/+milestone/1.7.0Release Notes
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089472.htMailing List
http://rhn.redhat.com/errata/RHSA-2012-1379.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0691.htmlNot Applicable
http://www.openwall.com/lists/oss-security/2012/09/05/16Mailing List

FAQ

What is CVE-2012-4406?

CVE-2012-4406 is a vulnerability with a CVSS score of 9.8 (CRITICAL). OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbi...

How severe is CVE-2012-4406?

CVE-2012-4406 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2012-4406?

Check the references section above for vendor advisories and patch information. Affected products include: Openstack Swift, Fedoraproject Fedora, Redhat Gluster Storage Management Console, Redhat Gluster Storage Server For On-Premise, Redhat Storage.