Bug 1955326 (CVE-2021-3531)

Summary: CVE-2021-3531 ceph: RGW unauthenticated denial of service
Product: [Other] Security Response Reporter: Sage McTaggart <amctagga>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adeza, anharris, bniver, danmick, david, fedora, flucifre, gfidente, gmeno, hvyas, i, jdurgin, jjoyce, josef, jschluet, lhh, loic, lpeer, mbenjamin, mburns, mhackett, mhicks, ramkrsna, sclewis, slinaber, sostapov, steve, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ceph 14.2.21 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Red Hat Ceph Storage RGW. When processing a GET Request for a swift URL that ends with two slashes, it can cause the RGW to crash, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1956316, 1964589    
Bug Blocks: 1953072, 1956468    

Description Sage McTaggart 2021-04-29 20:59:01 UTC 
A flaw was found in the Red Hat Ceph Storage RGW. When processing a GET Request for a swift URL that ends with two slashes it can cause the rgw to crash, resulting in a denial of service. 

As an example consider the following curl command:
curl https://<rgw-url>/swift/v1/AUTH_a1c6e2f79c4b412f9e0335bc6120aeae/foo//<https://%3crgw-url%3e/swift/v1/AUTH_a1c6e2f79c4b412f9e0335bc6120aeae/foo/>

the path before the bucket name (before "foo") must be valid for this to work.
"foo" does not necessarily need to be a valid bucket name. If it is a valid bucket name it is irrelevant if the bucket itself is public or not.
Additional query parameters in the URL still cause this issue (e.g. curl https://<rgw-url>/swift/v1/AUTH_a1c6e2f79c4b412f9e0335bc6120aeae/foo//?abc<https://%3crgw-url%3e/swift/v1/AUTH_a1c6e2f79c4b412f9e0335bc6120aeae/foo/?abc>)
Comment 7 Hardik Vyas 2021-05-04 11:28:54 UTC 
Statement:

* Red Hat OpenStack Platform deployments use the ceph package directly from the Ceph channel; the RHOSP package will not be updated at this time.
* This issue did not affect the versions of ceph as shipped with Red Hat Enterprise Linux 8 as they did not include support for RGW.
* Red Hat OpenShift Container Storage (RHOCS) 4 shipped ceph package for the usage of RHOCS 4.2 only, that has reached End Of Life. The shipped version of ceph package is no longer used and supported with the release of RHOCS 4.3.
Comment 8 Sage McTaggart 2021-05-14 19:17:54 UTC 
Upstream patch :  https://github.com/ceph/ceph/commit/f44a8ae8aa27ecef69528db9aec220f12492810e
Comment 9 Sage McTaggart 2021-05-25 18:35:25 UTC 
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1964589]
Comment 12 errata-xmlrpc 2022-04-04 10:19:42 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 5.1

Via RHSA-2022:1174 https://access.redhat.com/errata/RHSA-2022:1174