Bug 1403003 - An anonymous user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules. [NEEDINFO]
Summary: An anonymous user can provoke an abort() of the RGW server by sending a reque...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: RGW
Version: 2.1
Hardware: All
OS: All
unspecified
urgent
Target Milestone: rc
: 2.1
Assignee: Matt Benjamin (redhat)
QA Contact: shilpa
URL:
Whiteboard:
Depends On:
Blocks: CVE-2016-9579
TreeView+ depends on / blocked
 
Reported: 2016-12-08 20:57 UTC by Matt Benjamin (redhat)
Modified: 2017-07-30 15:55 UTC (History)
9 users (show)

Fixed In Version: RHEL: ceph-10.2.3-17.el7cp Ubuntu: ceph_10.2.3-18redhat1xenial
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1403007 (view as bug list)
Environment:
Last Closed: 2016-12-15 16:49:26 UTC
sisharma: needinfo? (mbenjamin)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2954 normal SHIPPED_LIVE Moderate: Red Hat Ceph Storage 2.1 security and bug fix update 2017-03-22 02:06:31 UTC
Ceph Project Bug Tracker 18187 None None None 2016-12-08 20:57:19 UTC
Red Hat Product Errata RHSA-2016:2956 normal SHIPPED_LIVE Moderate: Red Hat Ceph Storage 2.1 security and bug fix update 2016-12-15 23:02:58 UTC

Description Matt Benjamin (redhat) 2016-12-08 20:57:20 UTC
Description of problem:
An authenticated user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules.  The abort() is caused by an unhandled out-of-range exception matching the header with the supplied Origin header value.


Version-Release number of selected component (if applicable):
1.3.3, 2.0, 2.1


How reproducible:
100%


Steps to Reproduce:
1. set a CORS rule on an RGW bucket with a "long" (i.e., in this case, essentially any) value for AllowedOrigin
2. attempt access to any object in the above bucket, by any permitted user or anonymous with a value potentially initial-matching the AllowedOrigin, and of length less than that value
3. RGW halts

Actual results:
Server abort

Expected results:
Ordinary access or error behavior if client is forbidden by ACL.

Additional info:
N/A

Comment 7 shilpa 2016-12-13 10:00:31 UTC
Verified on ceph-10.2.3-17.

Comment 10 errata-xmlrpc 2016-12-15 16:49:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2954.html


Note You need to log in before you can comment on or make changes to this bug.