Bug 1403245 (CVE-2016-9579)

Summary: CVE-2016-9579 ceph: Object Gateway server DoS by sending invalid cross-origin HTTP request
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, ayoung, bhubbard, branto, carnil, ceph-eng-bugs, chrisw, cvsbot-xmlrpc, david, fedora, icolle, jdurgin, jjoyce, jschluet, kbasil, lhh, loic, lpeer, markmc, nlevine, ramkrsna, rbryant, rhos-maint, sclewis, sisharma, slinaber, srevivo, steve, tdecacqu, tvignaud
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the way Ceph Object Gateway would process cross-origin HTTP requests if the CORS policy was set to allow origin on a bucket. A remote unauthenticated attacker could use this flaw to cause denial of service by sending a specially-crafted cross-origin HTTP request.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-21 17:35:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1403003, 1403007, 1403246, 1403247, 1404375    
Bug Blocks: 1403250    

Description Andrej Nemec 2016-12-09 14:01:48 UTC 
An anonymous user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules.  The abort() is caused by an unhandled out-of-range exception matching the header with the supplied Origin header value.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1403003

Upstream bug:

http://tracker.ceph.com/issues/18187
Comment 1 Andrej Nemec 2016-12-09 14:02:51 UTC 
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1403246]
Affects: epel-all [bug 1403247]
Comment 2 Siddharth Sharma 2016-12-13 15:04:56 UTC 
Workaround:

1. By default system will use /etc/init.d/ceph-radosgw
   stop this service by

~]# /etc/init.d/ceph-radosgw stop

2. Create systemd service, change command line params according to the environment
where Ceph radosgw is running.

~]# cat /usr/lib/systemd/system/ceph-rgw.service 
[Unit]
Description=Ceph RGW daemon

[Service]
Type=forking
ExecStart=/bin/radosgw -n client.rgw.$(HOSTNAME REDACTED)
Restart=on-abnormal
RestartSec=1s

[Install]
WantedBy=multi-user.target

3. Run systemd service 'ceph-rgw.service'


Anonymous attacker should know name of the bucket to trigger this Remote DoS. Firewall can be set only to accept requests from white listed IP addresses.
Limiting connections to Ceph Object Gateway would lower down risk of remote DoS.
Comment 4 errata-xmlrpc 2016-12-15 16:49:50 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 2 for Red Hat Enterprise Linux 7

Via RHSA-2016:2954 https://rhn.redhat.com/errata/RHSA-2016-2954.html
Comment 5 errata-xmlrpc 2016-12-15 18:03:07 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 2 for Ubuntu 16.04

Via RHSA-2016:2956 https://rhn.redhat.com/errata/RHSA-2016-2956.html
Comment 6 errata-xmlrpc 2016-12-21 16:53:00 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 1.3 for Red Hat Enterprise Linux 7

Via RHSA-2016:2994 https://rhn.redhat.com/errata/RHSA-2016-2994.html
Comment 7 errata-xmlrpc 2016-12-21 17:16:07 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 1.3 for Ubuntu 14.04

Via RHSA-2016:2995 https://rhn.redhat.com/errata/RHSA-2016-2995.html