Security Advisory

Synopsis: A denial-of-service (DoS) possibility against the MinIO server was discovered and has been fixed in RELEASE.2019-08-07T01-59-21Z.

Severity: Medium

Who is affected: All users of the MinIO server version RELEASE.2019–03–06T22–47–10Z or newer are affected. Further, all users of the MinIO gateway version RELEASE.2019–03–06T22–47–10Z or newer using STS are affected as well. Users of the MinIO gateway without STS are not affected. However, it is still recommended to upgrade.

Recommended Action for Users: All users are advised to upgrade their MinIO deployments to the latest version. This issue is fixed in version RELEASE.2019-08-07T01-59-21Z (https://dl.minio.io/server/minio/release/linux-amd64/minio).

Description: An unauthenticated STS client can write arbitrary many bytes to the MinIO server RAM until it runs out of memory.

The issue was discovered through an internal security audit and a patch has been submitted to limit the request body size of STS requests. The patch has been reviewed and accepted, and a new release has been made.

A successful exploit can be used to crash a MinIO server instance such that it cannot serve requests anymore. At the time of writing, this exploit has not been observed in the wild.