Security Advisory

Synopsis: A Denial-of-Service (DoS) vulnerability against the Minio server was discovered and has been fixed in RELEASE.2018–05–25T19–49–13Z

Severity: Medium

Who is affected: All users of the signature V4 authentication are affected. Users of the signature V2 authentication are not affected.

Recommended Action for Users: All users are advised to upgrade their Minio deployments to the latest version. This issue is fixed in version RELEASE.2018–05–25T19–49–13Z

Description: The Minio server tries to read the entire body of certain S3 API requests — for example (presigned) GET-requests — into RAM to verify the MD5 or SHA256 checksum of the request body. A malicious client could abuse this to execute a DoS attack against the Minio server by sending either recorded V4-signed or V4-presigned requests with a large body until the server runs out of memory. A successful exploit requires either local network access or a valid V4-presigned request.

The issue was discovered through an internal security audit and a patch has been submitted to fix the vulnerability by verifying the request body in a streaming mode instead of buffering it in RAM. The patch has been reviewed and accepted, and a new release has been made.

A successful exploit can be used to consume the entire memory of the server such that it stops handling requests and must be restarted manually.