Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1711747

Summary: [rhos10] v4 signature support doesn't verify content for PUT request
Product: Red Hat OpenStack Reporter: Summer Long <slong>
Component: openstack-swift-plugin-swift3Assignee: Pete Zaitcev <zaitcev>
Status: CLOSED EOL QA Contact: Mike Abrams <mabrams>
Severity: medium Docs Contact:
Priority: medium    
Version: 10.0 (Newton)CC: derekh, mabrams, nlevinki, swiftbugzilla, zaitcev
Target Milestone: ---Keywords: Security, Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1711746
: 1711749 (view as bug list) Environment:
Last Closed: 2021-07-07 10:39:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Candidate 1 (no tests) none

Description Summer Long 2019-05-20 03:47:55 UTC 
Description of problem:
When support was added for v4 signatures, it required that the client provide a X-Amz-Content-SHA256 header and use it in computing the expected signature. However, it wasn't verified that content sent actually matched the SHA! As a result, an attacker that manages to capture the headers for a PUT request had a 5-minute window to overwrite the object with arbitrary content of the same length.

Because an attacker must already have to have secure access to exploit, this has been raised as a hardening task.

Additional info:
Upstream bug: https://bugs.launchpad.net/ossa/+bug/1765834, fixed in 2.21.0
Comment 1 Pete Zaitcev 2019-05-22 04:10:29 UTC 
Created attachment 1571782 [details]
Candidate 1 (no tests)
Comment 2 Pete Zaitcev 2019-05-22 04:12:47 UTC 
I do not see this as a major risk, because the attacker needs to snoop the transport, and TLS should protect against it.