Bug 1261606 - (CVE-2015-5245) CVE-2015-5245 Ceph: RGW returns requested bucket name raw in Bucket response header
CVE-2015-5245 Ceph: RGW returns requested bucket name raw in Bucket response ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150818,repor...
: Security
Depends On: 1258620 1258621 1277345
Blocks: 1261607
  Show dependency treegraph
 
Reported: 2015-09-09 14:37 EDT by Kurt Seifried
Modified: 2016-09-07 03:56 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A feature in Ceph Object Gateway (RGW) allows to return a specific HTTP header that contains the name of a bucket that was accessed. It was found that the returned HTTP headers were not sanitized. An unauthenticated attacker could use this flaw to craft HTTP headers in responses that would confuse the load balancer residing in front of RGW, potentially resulting in a denial of service.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-02 05:24:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2015-09-09 14:37:18 EDT
Upstream reports:

PCI scans have determined that the RGW is returning whatever string it thought was the name of the bucket requested as raw text in the Bucket response header, which we are using to be able to track request/response cycles by bucket. The result is that things like this are possible (note the extra Content-type header):

<snip>
$ curl -i "objects.dreamhost.com/nothing-to-see-here%22%0D%0AContent-type%3A%20%22image-jpg";echo
HTTP/1.1 400 Bad Request
Bucket: "nothing-to-see-here" 
Content-type: "image-jpg" 
Content-Length: 83
Accept-Ranges: bytes
Content-type: application/xml
Date: Mon, 27 Jul 2015 22:57:11 GMT

<Error><Code>InvalidBucketName</Code></Error>
</snip>

This could be considerably worse. It is in fact trivial to make the RGW return invalid HTTP responses this way as well (the resulting response is from HAProxy rejecting the invalid response from the RGW, as it should):

</snip>
$ curl -i "objects.dreamhost.com/nothing-to-see-here%22%0D%0AContent-Length%3A%20%2282";echo
HTTP/1.0 502 Bad Gateway
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>
</snip>

The RGW needs to sanitize/clean-up the bucket name before including it in the bucket header, by encoding the data in a standard encoding so that it is impossible to do things like inserting new headers, data, etc.. that looks like meaningful parts of a real HTTP response.

External reference:
http://tracker.ceph.com/issues/12537
Comment 2 errata-xmlrpc 2015-11-23 15:22:33 EST
This issue has been addressed in the following products:

 Red Hat Ceph Storage 1.3 for Ubuntu 14.04

Via RHSA-2015:2512 https://access.redhat.com/errata/RHSA-2015:2512
Comment 3 errata-xmlrpc 2015-11-23 16:36:10 EST
This issue has been addressed in the following products:

  Red Hat Ceph Storage 1.3 for RHEL 7

Via RHSA-2015:2066 https://access.redhat.com/errata/RHSA-2015:2066

Note You need to log in before you can comment on or make changes to this bug.