Back to bug 1403245
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Andrej Nemec | 2016-12-09 14:02:21 UTC | Depends On | 1403246 | |
| Andrej Nemec | 2016-12-09 14:02:38 UTC | Depends On | 1403247 | |
| Andrej Nemec | 2016-12-09 14:04:51 UTC | Depends On | 1403003, 1403007 | |
| Andrej Nemec | 2016-12-09 14:07:15 UTC | Blocks | 1403250 | |
| Salvatore Bonaccorso | 2016-12-10 06:14:00 UTC | CC | carnil | |
| Kaleb KEITHLEY | 2016-12-11 12:06:01 UTC | CC | kkeithle | |
| Siddharth Sharma | 2016-12-12 11:02:18 UTC | Doc Text | A flaw was found in the way ceph Object gateway would process HTTP origin header. An authenticated attacker could trigger remote DoS by sending invalid or specially crafted HTTP origin header. | |
| Doc Type | If docs needed, set a value | Bug Fix | ||
| Garth Mollett | 2016-12-13 05:27:06 UTC | Whiteboard | impact=moderate,public=20161208,reported=20161208,source=redhat,cvss2=3.5/AV:N/AC:M/Au:S/C:N/I:N/A:P,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-20,fedora-all/ceph=affected,epel-all/ceph=affected,ceph-1.3/ceph=affected,ceph-2/ceph=affected,openstack-5/ceph=new,openstack-6/ceph=new,openstack-6-installer/ceph=new,openstack-10/puppet-ceph=new | impact=moderate,public=20161208,reported=20161208,source=redhat,cvss2=3.5/AV:N/AC:M/Au:S/C:N/I:N/A:P,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-20,fedora-all/ceph=affected,epel-all/ceph=affected,ceph-1.3/ceph=affected,ceph-2/ceph=affected,openstack-5/ceph=notaffected,openstack-6/ceph=notaffected,openstack-6-installer/ceph=notaffected,openstack-10/puppet-ceph=notaffected |
| Siddharth Sharma | 2016-12-13 06:52:28 UTC | Doc Text | A flaw was found in the way ceph Object gateway would process HTTP origin header. An authenticated attacker could trigger remote DoS by sending invalid or specially crafted HTTP origin header. | A flaw was found in the way Ceph Object Gateway would process CORS request. An authenticated attacker could launch remote DoS by sending CORS request with short HTTP origin. |
| Siddharth Sharma | 2016-12-13 14:57:04 UTC | Whiteboard | impact=moderate,public=20161208,reported=20161208,source=redhat,cvss2=3.5/AV:N/AC:M/Au:S/C:N/I:N/A:P,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-20,fedora-all/ceph=affected,epel-all/ceph=affected,ceph-1.3/ceph=affected,ceph-2/ceph=affected,openstack-5/ceph=notaffected,openstack-6/ceph=notaffected,openstack-6-installer/ceph=notaffected,openstack-10/puppet-ceph=notaffected | impact=moderate,public=20161208,reported=20161208,source=redhat,cvss2=5.0/AV:N/AC:M/Au:N/C:N/I:N/A:P,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-20,fedora-all/ceph=affected,epel-all/ceph=affected,ceph-1.3/ceph=affected,ceph-2/ceph=affected,openstack-5/ceph=notaffected,openstack-6/ceph=notaffected,openstack-6-installer/ceph=notaffected,openstack-10/puppet-ceph=notaffected |
| Siddharth Sharma | 2016-12-13 14:57:34 UTC | Whiteboard | impact=moderate,public=20161208,reported=20161208,source=redhat,cvss2=5.0/AV:N/AC:M/Au:N/C:N/I:N/A:P,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-20,fedora-all/ceph=affected,epel-all/ceph=affected,ceph-1.3/ceph=affected,ceph-2/ceph=affected,openstack-5/ceph=notaffected,openstack-6/ceph=notaffected,openstack-6-installer/ceph=notaffected,openstack-10/puppet-ceph=notaffected | impact=moderate,public=20161208,reported=20161208,source=redhat,cvss2=5/AV:N/AC:M/Au:N/C:N/I:N/A:P,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-20,fedora-all/ceph=affected,epel-all/ceph=affected,ceph-1.3/ceph=affected,ceph-2/ceph=affected,openstack-5/ceph=notaffected,openstack-6/ceph=notaffected,openstack-6-installer/ceph=notaffected,openstack-10/puppet-ceph=notaffected |
| Siddharth Sharma | 2016-12-13 14:58:36 UTC | Whiteboard | impact=moderate,public=20161208,reported=20161208,source=redhat,cvss2=5/AV:N/AC:M/Au:N/C:N/I:N/A:P,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-20,fedora-all/ceph=affected,epel-all/ceph=affected,ceph-1.3/ceph=affected,ceph-2/ceph=affected,openstack-5/ceph=notaffected,openstack-6/ceph=notaffected,openstack-6-installer/ceph=notaffected,openstack-10/puppet-ceph=notaffected | impact=moderate,public=20161208,reported=20161208,source=redhat,cvss2=5/AV:N/AC:L/Au:N/C:N/I:N/A:P,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-20,fedora-all/ceph=affected,epel-all/ceph=affected,ceph-1.3/ceph=affected,ceph-2/ceph=affected,openstack-5/ceph=notaffected,openstack-6/ceph=notaffected,openstack-6-installer/ceph=notaffected,openstack-10/puppet-ceph=notaffected |
| Siddharth Sharma | 2016-12-13 16:24:03 UTC | Summary | CVE-2016-9579 ceph: RGW server DoS via request with invalid HTTP Origin header | CVE-2016-9579 ceph: Object Gateway server DoS by sending shorter HTTP Origin header than CORS rule |
| Siddharth Sharma | 2016-12-13 16:38:48 UTC | Doc Text | A flaw was found in the way Ceph Object Gateway would process CORS request. An authenticated attacker could launch remote DoS by sending CORS request with short HTTP origin. | A flaw was found in the way Ceph Object Gateway would process CORS request. An anonymous attacker could launch remote DoS by sending CORS request with shorter HTTP origin than set in CORS rule. |
| Siddharth Sharma | 2016-12-13 16:59:23 UTC | Depends On | 1404375 | |
| Siddharth Sharma | 2016-12-14 08:11:57 UTC | Doc Text | A flaw was found in the way Ceph Object Gateway would process CORS request. An anonymous attacker could launch remote DoS by sending CORS request with shorter HTTP origin than set in CORS rule. | A flaw was found in the way Ceph Object Gateway would process CORS request. A remote unauthenticated attacker could use this flaw to cause denial of service by sending a specially-crafted CORS request. |
| Eric Christensen | 2016-12-14 15:58:14 UTC | Doc Text | A flaw was found in the way Ceph Object Gateway would process CORS request. A remote unauthenticated attacker could use this flaw to cause denial of service by sending a specially-crafted CORS request. | A flaw was found in the way Ceph Object Gateway would process cross-origin HTTP requests if the CORS policy was set to allow origin on a bucket. A remote unauthenticated attacker could use this flaw to cause denial of service by sending a specially-crafted cross-origin HTTP request. |
| Siddharth Sharma | 2016-12-15 05:20:28 UTC | Summary | CVE-2016-9579 ceph: Object Gateway server DoS by sending shorter HTTP Origin header than CORS rule | CVE-2016-9579 ceph: Object Gateway server DoS by sending invalid cross-origin HTTP request |
| Siddharth Sharma | 2016-12-21 17:35:31 UTC | Status | NEW | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2016-12-21 12:35:31 UTC | |||
| Product Security DevOps Team | 2019-09-29 14:02:45 UTC | Whiteboard | impact=moderate,public=20161208,reported=20161208,source=redhat,cvss2=5/AV:N/AC:L/Au:N/C:N/I:N/A:P,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-20,fedora-all/ceph=affected,epel-all/ceph=affected,ceph-1.3/ceph=affected,ceph-2/ceph=affected,openstack-5/ceph=notaffected,openstack-6/ceph=notaffected,openstack-6-installer/ceph=notaffected,openstack-10/puppet-ceph=notaffected |
Back to bug 1403245