Bug 1950116 (CVE-2021-3509) - CVE-2021-3509 ceph-dashboard: Cross-site scripting via token Cookie
Summary: CVE-2021-3509 ceph-dashboard: Cross-site scripting via token Cookie
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3509
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1953091 1960697 1960759
Blocks: 1950121 1951729
TreeView+ depends on / blocked
 
Reported: 2021-04-15 19:10 UTC by Pedro Sampaio
Modified: 2021-06-15 21:04 UTC (History)
37 users (show)

Fixed In Version: nautilus 14.2.20 , octopus 15.2.11 , pacific 16.2.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Red Hat Ceph Storage Dashboard. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS. The greatest threat to the system is for confidentiality, integrity, and availability.
Clone Of:
Environment:
Last Closed: 2021-06-15 21:04:04 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2445 0 None None None 2021-06-15 17:13:03 UTC

Description Pedro Sampaio 2021-04-15 19:10:02 UTC
A flaw was found in ceph. In order to make the JWT token inaccessible through XSS, it was moved from localStorage to httpOnly Cookie (CVE-2020-27839). But token cookie are used in the body of the HTTP response for the documentation, which again makes it available to XSS.

References:

https://github.com/ceph/ceph/blob/f1557e8f62d31883d3d34ae241a1a26af11d923f/src/pybind/mgr/dashboard/controllers/docs.py#L394-L409

Comment 7 Mauro Matteo Cascella 2021-04-29 10:41:16 UTC
Statement:

Red Hat OpenStack Platform deployments use the ceph package directly from the Ceph channel; the RHOSP package will not be updated at this time.
Red Hat OpenShift Container Storage (RHOCS) 4 shipped ceph package for the usage of RHOCS 4.2 only which has reached End of Life. The shipped version of ceph package is neither used nor supported with the release of RHOCS 4.3.

Red Hat Ceph Storage (RHCS) 4 ships a version of ceph which has not been patched for CVE-2020-27839, and therefore, although not vulnerable to this specific flaw, would be vulnerable if CVE-2020-27839 were to be patched without recognition of the flaw.

Red Hat Enterprise Linux 8 is not affected by this flaw as it does not include the ceph dashboard component.

Comment 8 Sage McTaggart 2021-04-29 20:36:20 UTC
Acknowledgments:

Name: Sergey Bobrov (Kaspersky)

Comment 9 Sage McTaggart 2021-05-14 18:51:14 UTC
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1960759]

Comment 11 errata-xmlrpc 2021-06-15 17:13:00 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.2

Via RHSA-2021:2445 https://access.redhat.com/errata/RHSA-2021:2445

Comment 12 Product Security DevOps Team 2021-06-15 21:04:04 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3509


Note You need to log in before you can comment on or make changes to this bug.