Bug 1372446 (CVE-2016-7031) - CVE-2016-7031 ceph: RGW permits bucket listing when authenticated_users=read
Summary: CVE-2016-7031 ceph: RGW permits bucket listing when authenticated_users=read
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-7031
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1372572
Blocks: 1372443
TreeView+ depends on / blocked
 
Reported: 2016-09-01 18:22 UTC by Siddharth Sharma
Modified: 2019-09-29 13:55 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ceph RGW code which allows an anonymous user to list contents of RGW bucket by bypassing ACL which should only allow authenticated users to list contents of bucket.
Clone Of:
Environment:
Last Closed: 2016-09-29 14:35:37 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1372438 None None None Never
Red Hat Product Errata RHSA-2016:1972 normal SHIPPED_LIVE Moderate: Red Hat Ceph Storage 1.3.3 security, bug fix, and enhancement update 2016-09-29 16:51:21 UTC
Red Hat Product Errata RHSA-2016:1973 normal SHIPPED_LIVE Moderate: Red Hat Ceph Storage 1.3.3 security, bug fix, and enhancement update 2016-09-29 17:11:28 UTC

Internal Links: 1372438

Description Siddharth Sharma 2016-09-01 18:22:03 UTC
Description of problem:

An anonymous S3 user may be able to (incorrectly) list the contents of a bucket which has an authenticated_users=read ACL.


Version-Release number of selected component (if applicable):
1.3.x


Additional info:
This issue corresponds to upstream tracker issue
http://tracker.ceph.com/issues/13207

Fixed on master in
https://github.com/ceph/ceph/pull/6057

Comment 4 errata-xmlrpc 2016-09-29 13:00:51 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 1.3 for RHEL 7

Via RHSA-2016:1972 https://rhn.redhat.com/errata/RHSA-2016-1972.html

Comment 5 errata-xmlrpc 2016-09-29 13:14:50 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 1.3 for Ubuntu

Via RHSA-2016:1973 https://rhn.redhat.com/errata/RHSA-2016-1973.html


Note You need to log in before you can comment on or make changes to this bug.