Bug 1827262 (CVE-2020-12059)

Summary: CVE-2020-12059 ceph: specially crafted XML payload on POST requests leads to DoS by crashing RGW
Product: [Other] Security Response Reporter: Hardik Vyas <hvyas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, anharris, bniver, branto, danmick, david, dbecker, fedora, flucifre, gfidente, gmeno, hvyas, i, jdurgin, jjoyce, josef, jschluet, lhh, loic, lpeer, mbenjamin, mburns, mhackett, ramkrsna, sclewis, slinaber, steve, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ceph 13.2.10 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Ceph Object Gateway S3 API, where it did not properly validate the POST requests. This flaw allows an attacker to perform a denial of service attack using a malicious POST request with specially crafted XML payload, leading to a crash of the RGW process.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-06 20:33:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1827318    
Bug Blocks: 1827270    

Description Hardik Vyas 2020-04-23 13:52:58 UTC 
A POST request with an invalid tagging XML can crash the RGW process, this issue affects ceph v13.2.9 as well as previous v13.2.x(Mimic releases) and all v12.2.x(Luminous releases).
Originally reported at https://tracker.ceph.com/issues/44967
Comment 4 Hardik Vyas 2020-04-23 16:06:07 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 6 Hardik Vyas 2020-04-24 05:32:58 UTC 
External References:

https://ceph.io/releases/v13-2-10-mimic-released/
Comment 7 Hardik Vyas 2020-04-24 05:37:39 UTC 
Upstream patch : https://github.com/ceph/ceph/commit/375d926a4f2720a29b079c216bafb884eef985c3 [v13.2.10]
Comment 8 Nick Tait 2020-04-24 17:38:06 UTC 
Statement:

This issue affects the versions of ceph as shipped with Red Hat Ceph Storage 3, as it does not validate the parameter when reading the tagging field from POST obj XML.

Red Hat OpenStack Platform 13 provides only the ceph client library and is not affected by this vulnerability.
Comment 12 errata-xmlrpc 2021-05-06 18:31:57 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3 - ELS

Via RHSA-2021:1518 https://access.redhat.com/errata/RHSA-2021:1518
Comment 13 Product Security DevOps Team 2021-05-06 20:33:54 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12059