1403003 – An anonymous user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules.

Bug 1403003 - An anonymous user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules. [NEEDINFO]

Summary: An anonymous user can provoke an abort() of the RGW server by sending a reque...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	2.1
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	2.1
Assignee:	Matt Benjamin (redhat)
QA Contact:	shilpa
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2016-9579
TreeView+	depends on / blocked

Reported:	2016-12-08 20:57 UTC by Matt Benjamin (redhat)
Modified:	2022-07-09 08:54 UTC (History)
CC List:	9 users (show)
Fixed In Version:	RHEL: ceph-10.2.3-17.el7cp Ubuntu: ceph_10.2.3-18redhat1xenial
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1403007 (view as bug list)
Environment:
Last Closed:	2016-12-15 16:49:26 UTC
Dependent Products:
Flags:	sisharma: needinfo? (mbenjamin)

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Ceph Project Bug Tracker	18187	None	None	None	2016-12-08 20:57:19 UTC
Red Hat Issue Tracker	RHCEPH-4725	None	None	None	2022-07-09 08:54:37 UTC
Red Hat Product Errata	RHSA-2016:2954	normal	SHIPPED_LIVE	Moderate: Red Hat Ceph Storage 2.1 security and bug fix update	2017-03-22 02:06:31 UTC
Red Hat Product Errata	RHSA-2016:2956	normal	SHIPPED_LIVE	Moderate: Red Hat Ceph Storage 2.1 security and bug fix update	2016-12-15 23:02:58 UTC

Description Matt Benjamin (redhat) 2016-12-08 20:57:20 UTC

Description of problem:
An authenticated user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules.  The abort() is caused by an unhandled out-of-range exception matching the header with the supplied Origin header value.


Version-Release number of selected component (if applicable):
1.3.3, 2.0, 2.1


How reproducible:
100%


Steps to Reproduce:
1. set a CORS rule on an RGW bucket with a "long" (i.e., in this case, essentially any) value for AllowedOrigin
2. attempt access to any object in the above bucket, by any permitted user or anonymous with a value potentially initial-matching the AllowedOrigin, and of length less than that value
3. RGW halts

Actual results:
Server abort

Expected results:
Ordinary access or error behavior if client is forbidden by ACL.

Additional info:
N/A

Comment 7 shilpa 2016-12-13 10:00:31 UTC

Verified on ceph-10.2.3-17.

Comment 10 errata-xmlrpc 2016-12-15 16:49:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2954.html

Note You need to log in before you can comment on or make changes to this bug.