Bug 1711753

Summary: [rhos13] v4 signature support doesn't verify content for PUT request
Product: Red Hat OpenStack Reporter: Summer Long <slong>
Component: openstack-swiftAssignee: Pete Zaitcev <zaitcev>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact: Tana <tberry>
Priority: medium    
Version: 13.0 (Queens)CC: derekh, swiftbugzilla, zaitcev
Target Milestone: ---Keywords: Security, Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1711749 Environment:
Last Closed: 2023-07-11 20:44:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Summer Long 2019-05-20 03:52:17 UTC 
Description of problem:
When support was added for v4 signatures, it required that the client provide a X-Amz-Content-SHA256 header and use it in computing the expected signature. However, it wasn't verified that content sent actually matched the SHA! As a result, an attacker that manages to capture the headers for a PUT request had a 5-minute window to overwrite the object with arbitrary content of the same length.

Because an attacker must already have to have secure access to exploit, this has been raised as a hardening task.

Additional info:
Upstream bug: https://bugs.launchpad.net/ossa/+bug/1765834, fixed in 2.21.0
Comment 3 Lon Hohberger 2023-07-11 20:44:45 UTC 
This is resolved in OSP16.1 and OSP16.2. Since OSP13 retired on June 27, 2023, I am closing this.