1711753 – [rhos13] v4 signature support doesn't verify content for PUT request

Bug 1711753 - [rhos13] v4 signature support doesn't verify content for PUT request

Summary: [rhos13] v4 signature support doesn't verify content for PUT request

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-swift
Sub Component:
Version:	13.0 (Queens)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Pete Zaitcev
QA Contact:
Docs Contact:	Tana
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-05-20 03:52 UTC by Summer Long
Modified:	2023-07-11 20:45 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1711749
Environment:
Last Closed:	2023-07-11 20:44:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-10559	0	None	None	None	2023-07-11 20:45:01 UTC

Description Summer Long 2019-05-20 03:52:17 UTC

Description of problem:
When support was added for v4 signatures, it required that the client provide a X-Amz-Content-SHA256 header and use it in computing the expected signature. However, it wasn't verified that content sent actually matched the SHA! As a result, an attacker that manages to capture the headers for a PUT request had a 5-minute window to overwrite the object with arbitrary content of the same length.

Because an attacker must already have to have secure access to exploit, this has been raised as a hardening task.

Additional info:
Upstream bug: https://bugs.launchpad.net/ossa/+bug/1765834, fixed in 2.21.0

Comment 3 Lon Hohberger 2023-07-11 20:44:45 UTC

This is resolved in OSP16.1 and OSP16.2. Since OSP13 retired on June 27, 2023, I am closing this.

Note You need to log in before you can comment on or make changes to this bug.