Bug 1403003 – An anonymous user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules.

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1403003 - An anonymous user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules. [NEEDINFO]

Summary:	An anonymous user can provoke an abort() of the RGW server by sending a reque...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Ceph Storage
Classification:	Red Hat
Component:	RGW (Show other bugs)
Sub Component:
Version:	2.1
Hardware:	All All

Priority	unspecified Severity urgent
Target Milestone:	rc
Target Release:	2.1
Assigned To:	Matt Benjamin (redhat)
QA Contact:	shilpa
Docs Contact:

URL:
Whiteboard:
Keywords:	Security

Depends On:
Blocks:	CVE-2016-9579
	Show dependency tree / graph

Reported:	2016-12-08 15:57 EST by Matt Benjamin (redhat)
Modified:	2017-07-30 11:55 EDT (History)
CC List:	9 users (show)

See Also:
Fixed In Version:	RHEL: ceph-10.2.3-17.el7cp Ubuntu: ceph_10.2.3-18redhat1xenial
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Clones:	1403007 (view as bug list)
Environment:
Last Closed:	2016-12-15 11:49:26 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Flags:	sisharma: needinfo? (mbenjamin)

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Ceph Project Bug Tracker	18187	None	None	None	2016-12-08 15:57 EST
Red Hat Product Errata	RHSA-2016:2954	normal	SHIPPED_LIVE	Moderate: Red Hat Ceph Storage 2.1 security and bug fix update	2017-03-21 22:06:31 EDT
Red Hat Product Errata	RHSA-2016:2956	normal	SHIPPED_LIVE	Moderate: Red Hat Ceph Storage 2.1 security and bug fix update	2016-12-15 18:02:58 EST

Groups: None (edit)

Description Matt Benjamin (redhat) 2016-12-08 15:57:20 EST

Description of problem:
An authenticated user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules.  The abort() is caused by an unhandled out-of-range exception matching the header with the supplied Origin header value.


Version-Release number of selected component (if applicable):
1.3.3, 2.0, 2.1


How reproducible:
100%


Steps to Reproduce:
1. set a CORS rule on an RGW bucket with a "long" (i.e., in this case, essentially any) value for AllowedOrigin
2. attempt access to any object in the above bucket, by any permitted user or anonymous with a value potentially initial-matching the AllowedOrigin, and of length less than that value
3. RGW halts

Actual results:
Server abort

Expected results:
Ordinary access or error behavior if client is forbidden by ACL.

Additional info:
N/A

Comment 7 shilpa 2016-12-13 05:00:31 EST

Verified on ceph-10.2.3-17.

Comment 10 errata-xmlrpc 2016-12-15 11:49:26 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2954.html

Note You need to log in before you can comment on or make changes to this bug.