Bug 1110809 (CVE-2014-3497)

Summary: CVE-2014-3497 openstack-swift: XSS in Swift requests through WWW-Authenticate header
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, chazlett, chrisw, derekh, gkotton, gmollett, jrusnack, lhh, markmc, mmcallis, rbryant, sclewis, security-response-team, yeylon, zaitcev
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that Swift did not escape all HTTP header values, allowing data to be injected into the responses sent from the Swift server. This could lead to cross-site scripting attacks (and possibly other impacts) if a user were tricked into clicking on a malicious URL.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-24 18:10:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1113381, 1113382, 1113797, 1113798    
Bug Blocks: 1110812    

Description Vasyl Kaigorodov 2014-06-18 13:47:21 UTC 
The OpenStack project reports:

Title: XSS in Swift requests through WWW-Authenticate header
Reporter: Globo.com Security Team
Products: Swift
Versions: 1.11.0 to 1.13.1

Description:
Globo.com Security Team reported a vulnerability in Swift's header value
escaping. By tricking a Swift user into clicking a malicious URL, a
remote attacker may inject data in Swift response while still appearing
to come from the Swift server, potentially leading to other client-side
vulnerabilities. All Swift setups are affected.
Comment 1 Vasyl Kaigorodov 2014-06-18 13:56:14 UTC 
Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges the Globo.com Security Team as the original reporter.
Comment 2 Murray McAllister 2014-06-26 05:07:36 UTC 
This issue is public:

http://www.openwall.com/lists/oss-security/2014/06/19/10
Comment 4 Murray McAllister 2014-06-26 05:08:55 UTC 
Created openstack-swift tracking bugs for this issue:

Affects: epel-6 [bug 1113381]
Comment 5 Murray McAllister 2014-06-26 05:13:19 UTC 
The version of openstack-swift in Fedora should be too old to be affected.
Comment 9 errata-xmlrpc 2014-07-24 17:22:47 UTC 
This issue has been addressed in following products:

  OpenStack 5 for RHEL 7

Via RHSA-2014:0941 https://rhn.redhat.com/errata/RHSA-2014-0941.html
Comment 10 Martin Prpič 2014-07-28 11:05:54 UTC 
IssueDescription:

It was found that Swift did not escape all HTTP header values, allowing data to be injected into the responses sent from the Swift server. This could lead to cross-site scripting attacks (and possibly other impacts) if a user were tricked into clicking on a malicious URL.