Bug 1389193 (CVE-2016-8626)

Summary: CVE-2016-8626 Ceph: RGW Denial of Service by sending null or specially crafted POST object requests
Product: [Other] Security Response Reporter: Siddharth Sharma <sisharma>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, ayoung, cbodley, ceph-eng-bugs, chrisw, cvsbot-xmlrpc, gmollett, jschluet, kbasil, lhh, lpeer, markmc, mburns, rbryant, rhos-maint, rperiyas, sclewis, sisharma, smanjara, srevivo, tdecacqu, tserlin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHEL: ceph-0.94.9-7.el7cp Ubuntu: ceph_0.94.9-8redhat1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way Ceph Object Gateway handles POST object requests. An authenticated attacker could launch a denial of service attack by sending null or specially crafted POST object requests.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-01 22:38:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1389199    
Bug Blocks: 1387332, 1389198, 1394936    

Description Siddharth Sharma 2016-10-27 07:25:06 UTC 
Description:

A Flaw was found using which authenticated attacker can send post object with null conditions to ceph rados gateway which would lead to crash of ceph-radosgw service resulting in Denial of Service.

http://tracker.ceph.com/issues/17635
https://bugzilla.redhat.com/show_bug.cgi?id=1387332
Comment 1 Siddharth Sharma 2016-10-27 07:26:22 UTC 
Workaround:

1. By default system will use /etc/init.d/ceph-radosgw
   stop this service by

~]# /etc/init.d/ceph-radosgw stop

2. Create systemd service, change command line params according to the environment
where Ceph radosgw is running.

~]# cat /usr/lib/systemd/system/ceph-rgw.service 
[Unit]
Description=Ceph RGW daemon

[Service]
Type=forking
ExecStart=/bin/radosgw -n client.rgw.$(HOSTNAME REDACTED)
Restart=on-abnormal
RestartSec=1s

[Install]
WantedBy=multi-user.target

3. Run systemd service 'ceph-rgw.service'

Caveat: It still takes +1-2 sec to get service back online. Attacker has to know bucket-name and for that attacker must be authenticated so if service get a lot of such requests user/attacker can be blocked by revoking access to service.
Comment 8 errata-xmlrpc 2016-11-22 19:24:12 UTC 
This issue has been addressed in the following products:

 Red Hat Ceph Storage 2 for Ubuntu 16.04

Via RHSA-2016:2816 https://rhn.redhat.com/errata/RHSA-2016-2816.html
Comment 9 errata-xmlrpc 2016-11-22 19:33:11 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 2 for RHEL 7

Via RHSA-2016:2815 https://rhn.redhat.com/errata/RHSA-2016-2815.html
Comment 12 errata-xmlrpc 2016-12-01 21:39:14 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 1.3 for RHEL 7

Via RHSA-2016:2847 https://rhn.redhat.com/errata/RHSA-2016-2847.html
Comment 13 errata-xmlrpc 2016-12-01 22:04:40 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 1.3 for Ubuntu 14.04

Via RHSA-2016:2848 https://rhn.redhat.com/errata/RHSA-2016-2848.html