1403003 – An anonymous user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules.

Bug 1403003 - An anonymous user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules.

Summary: An anonymous user can provoke an abort() of the RGW server by sending a reque...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	2.1
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	2.1
Assignee:	Matt Benjamin (redhat)
QA Contact:	shilpa
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2016-9579
TreeView+	depends on / blocked

Reported:	2016-12-08 20:57 UTC by Matt Benjamin (redhat)
Modified:	2023-09-15 01:25 UTC (History)
CC List:	9 users (show)
Fixed In Version:	RHEL: ceph-10.2.3-17.el7cp Ubuntu: ceph_10.2.3-18redhat1xenial
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1403007 (view as bug list)
Environment:
Last Closed:	2016-12-15 16:49:26 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Ceph Project Bug Tracker	18187	None	None	None	2016-12-08 20:57:19 UTC
Red Hat Issue Tracker	RHCEPH-4725	None	None	None	2022-07-09 08:54:37 UTC
Red Hat Product Errata	RHSA-2016:2954	normal	SHIPPED_LIVE	Moderate: Red Hat Ceph Storage 2.1 security and bug fix update	2017-03-22 02:06:31 UTC
Red Hat Product Errata	RHSA-2016:2956	normal	SHIPPED_LIVE	Moderate: Red Hat Ceph Storage 2.1 security and bug fix update	2016-12-15 23:02:58 UTC

Description Matt Benjamin (redhat) 2016-12-08 20:57:20 UTC

Description of problem:
An authenticated user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules.  The abort() is caused by an unhandled out-of-range exception matching the header with the supplied Origin header value.


Version-Release number of selected component (if applicable):
1.3.3, 2.0, 2.1


How reproducible:
100%


Steps to Reproduce:
1. set a CORS rule on an RGW bucket with a "long" (i.e., in this case, essentially any) value for AllowedOrigin
2. attempt access to any object in the above bucket, by any permitted user or anonymous with a value potentially initial-matching the AllowedOrigin, and of length less than that value
3. RGW halts

Actual results:
Server abort

Expected results:
Ordinary access or error behavior if client is forbidden by ACL.

Additional info:
N/A

Comment 7 shilpa 2016-12-13 10:00:31 UTC

Verified on ceph-10.2.3-17.

Comment 10 errata-xmlrpc 2016-12-15 16:49:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2954.html

Comment 13 Red Hat Bugzilla 2023-09-15 01:25:19 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days

Note You need to log in before you can comment on or make changes to this bug.