Bug 2215374 (CVE-2023-46159)

Summary: CVE-2023-46159 ceph: RGW crash upon misconfigured CORS rule
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ahanwate, amctagga, aoconnor, bniver, branto, dhughes, eglynn, flucifre, gfidente, gmeno, jdurgin, jjoyce, jschluet, lhh, lsvaty, manissin, mbenjamin, mburns, mgarciac, mhackett, mhicks, muagarwa, odf-bz-bot, pgrist, security-response-team, sostapov, vereddy
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ceph. Certain misconfigurations of CORS rules in Ceph could result in a significantly large memory allocation. This issue can lead to RGW crashing and a denial of service from an authenticated user on the network.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-10-03 05:45:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2215378, 2215379, 2215380, 2215381, 2215382, 2215383, 2215384, 2215385, 2215386, 2323290    
Bug Blocks: 2215376    

Description Guilherme de Almeida Suckevicz 2023-06-15 18:56:11 UTC 
In certain cases, where a user misconfigures a CORS rule, the entirety of the string can be token characters (or, at least, the string before and after a given token is all token characters), but != "*". If the misconfigured string includes "*" we'll try to split the string and we assume that we can pop the list of string elements when "*" isn't first/last, but get_str_list() won't return anything for token-only substrings and thus 'ssplit' will have fewer elements than would be expected for a correct rule. In the case of an empty list, front() has undefined behaviour; in our experience, it often results in a huge allocation attempt because the code tries to copy the string into a
local variable 'sl'.

An example of this misconfiguration (and thus a reproduction case) is configuring an origin of " *".
Comment 7 errata-xmlrpc 2024-02-08 16:49:40 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 5.3

Via RHSA-2024:0745 https://access.redhat.com/errata/RHSA-2024:0745
Comment 10 errata-xmlrpc 2025-06-26 12:09:51 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 8.1

Via RHSA-2025:9775 https://access.redhat.com/errata/RHSA-2025:9775