Bug 1403003 - An anonymous user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules.
Summary: An anonymous user can provoke an abort() of the RGW server by sending a reque...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RGW
Version: 2.1
Hardware: All
OS: All
unspecified
urgent
Target Milestone: rc
: 2.1
Assignee: Matt Benjamin (redhat)
QA Contact: shilpa
URL:
Whiteboard:
Depends On:
Blocks: CVE-2016-9579
TreeView+ depends on / blocked
 
Reported: 2016-12-08 20:57 UTC by Matt Benjamin (redhat)
Modified: 2023-09-15 01:25 UTC (History)
9 users (show)

Fixed In Version: RHEL: ceph-10.2.3-17.el7cp Ubuntu: ceph_10.2.3-18redhat1xenial
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1403007 (view as bug list)
Environment:
Last Closed: 2016-12-15 16:49:26 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 18187 0 None None None 2016-12-08 20:57:19 UTC
Red Hat Issue Tracker RHCEPH-4725 0 None None None 2022-07-09 08:54:37 UTC
Red Hat Product Errata RHSA-2016:2954 0 normal SHIPPED_LIVE Moderate: Red Hat Ceph Storage 2.1 security and bug fix update 2017-03-22 02:06:31 UTC
Red Hat Product Errata RHSA-2016:2956 0 normal SHIPPED_LIVE Moderate: Red Hat Ceph Storage 2.1 security and bug fix update 2016-12-15 23:02:58 UTC

Description Matt Benjamin (redhat) 2016-12-08 20:57:20 UTC
Description of problem:
An authenticated user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules.  The abort() is caused by an unhandled out-of-range exception matching the header with the supplied Origin header value.


Version-Release number of selected component (if applicable):
1.3.3, 2.0, 2.1


How reproducible:
100%


Steps to Reproduce:
1. set a CORS rule on an RGW bucket with a "long" (i.e., in this case, essentially any) value for AllowedOrigin
2. attempt access to any object in the above bucket, by any permitted user or anonymous with a value potentially initial-matching the AllowedOrigin, and of length less than that value
3. RGW halts

Actual results:
Server abort

Expected results:
Ordinary access or error behavior if client is forbidden by ACL.

Additional info:
N/A

Comment 7 shilpa 2016-12-13 10:00:31 UTC
Verified on ceph-10.2.3-17.

Comment 10 errata-xmlrpc 2016-12-15 16:49:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2954.html

Comment 13 Red Hat Bugzilla 2023-09-15 01:25:19 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days


Note You need to log in before you can comment on or make changes to this bug.