| Reported by | Martin Molin <martin@ternacode.com>; Sayan Nandan <ohsayan@outlook.com>; |
|---|---|
| CVE | CVE-2021-37625 |
| Reported on | Aug 02 2021, 1122 UTC |
| Patch Release Date | Aug 03 2021, 0401 UTC |
| Public Disclosure Date | Aug 05 2021, 0700 UTC |
| Affected versions | 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.6.2, 0.6.3 |
| Affected binaries |
server (skyd for versions > 0.5.0 and
tdb
for versions < 0.5.1)
|
| Patched binary link | https://dl.skytable.io/security/v0.6.4/ |
| Attack type | Other |
| Impact | Denial of Service (DoS) |
| Attack vectors | Network |
| Procedure | When user A with access to system S which has a database instance running runs a specially crafted TCP connection or an incomplete TLS connection through the use of patched libraries, they can cause a Denial of Service (DoS) attack by taking down the entire database instance without the instance reporting any sort of error. |
| Erroneous logic | N/A |
| Mitigation | Upgrade to the latest Skytable release |
| Public patch commit | Backport (92a5550ff39ca2b555c9c5b7d30967e41e3ed790) |