Bug 2216855 (CVE-2023-43040)

Summary: CVE-2023-43040 rgw: improperly verified POST keys
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, aoconnor, bniver, dfreiber, etamir, flucifre, gmeno, jburrell, mbenjamin, mhackett, muagarwa, rogbas, security-response-team, sostapov, vereddy, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rgw. This flaw allows an unprivileged user to write to any bucket(s) accessible by a given key if a POST's form-data contains a key called 'bucket' with a value matching the bucket's name used to sign the request. This issue results in a user being able to upload to any bucket accessible by the specified access key as long as the bucket in the POST policy matches the bucket in the said POST form part.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2216857, 2216858, 2216859, 2216860, 2216861, 2216862, 2216863, 2216864, 2216865, 2216866, 2216867, 2217572, 2258829, 2258830    
Bug Blocks: 2216856    

Description Anten Skrabec 2023-06-22 21:28:37 UTC 
An unprivileged user can write to any bucket(s) accessible by a given key if a POST’s form-data contains a key called ‘bucket’ with a value matching the name of the bucket used to sign the request. The result of this is that a user could actually upload to any bucket accessible by the specified access key as long as the bucket in the POST policy matches the bucket in said POST form part.

Fix this simply by setting the bucket to the correct value after the POST form parts are processed, ignoring the form part above if specified.
Comment 2 Mike Burns 2023-06-26 12:02:17 UTC 
Hi Anten,

This shouldn't impact OpenStack (at least directly).  librgw is from the ceph package.  OpenStack pulls this from RHEL or Ceph directly on all the releases.  It will cause container grade updates after it's resolved.
Comment 6 errata-xmlrpc 2023-10-12 16:34:25 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:5693 https://access.redhat.com/errata/RHSA-2023:5693
Comment 9 errata-xmlrpc 2024-02-08 16:49:48 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 5.3

Via RHSA-2024:0745 https://access.redhat.com/errata/RHSA-2024:0745