Bug 1951674 (CVE-2021-3524) - CVE-2021-3524 ceph object gateway: radosgw: CRLF injection
Summary: CVE-2021-3524 ceph object gateway: radosgw: CRLF injection
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3524
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1951675 1958426 2040886
Blocks: 1950142 1955602 1955605
TreeView+ depends on / blocked
 
Reported: 2021-04-20 17:30 UTC by Sage McTaggart
Modified: 2022-05-05 13:15 UTC (History)
32 users (show)

Fixed In Version: ceph 14.2.21
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when making the CORS request. The highest threat from this vulnerability is to integrity.
Clone Of:
Environment:
Last Closed: 2022-05-05 13:15:18 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1174 0 None None None 2022-04-04 10:19:45 UTC
Red Hat Product Errata RHSA-2022:1716 0 None None None 2022-05-05 07:53:14 UTC

Description Sage McTaggart 2021-04-20 17:30:57 UTC 
It was reported that "newline" character in the CORS xml configuration file in the ExposeHeader tag can lead to the header injection attack.
When the CORS request is made the response contain the injected header. Using newline characters injected into the HTTP headers, it is possible for the malicious user to add arbitrary headers such as Set-Cookie to set arbitrary cookies.

This impacts the RHCS RadosGW S3 API.
For example malicious user could create a publicly-accessible S3 bucket with such CORS configuration and anyone that accessed that bucket would have these headers injected.

In addition, in contrast to the prior fix, \r can be used as a separator, and is not fixed in the prior patch, which only handled \n separators.
Comment 2 Sage McTaggart 2021-04-20 17:31:06 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 10 Sage McTaggart 2021-04-29 20:32:36 UTC 
Acknowledgments:

Name: Sergey Bobrov (Kaspersky)
Comment 13 Summer Long 2021-05-04 04:41:37 UTC 
Statement:

* Red Hat Ceph Storage (RHCS) 4 is affected by this vulnerability. Note: although this issue affects the RadosGW S3 API, it does not affect the Swift API.
* Red Hat OpenShift Container Storage (RHOCS) 4 shipped ceph package for the usage of RHOCS 4.2 only which has reached End of Life. The shipped version of ceph package is neither used nor supported with the release of RHOCS 4.3.
* Red Hat Enterprise Linux 7 and 8 are not affected by this flaw, as the shipped versions of `ceph` are not compiled with RadosGW support.
* Red Hat OpenStack Platform deployments use the ceph package directly from the Ceph channel; the RHOSP package will not be updated at this time.
Comment 15 Sage McTaggart 2021-05-07 21:28:38 UTC 
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1958426]
Comment 17 Sage McTaggart 2021-05-14 18:46:47 UTC 
upstream patch here https://github.com/ceph/ceph/releases/tag/v14.2.21
Comment 20 errata-xmlrpc 2022-04-04 10:19:42 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 5.1

Via RHSA-2022:1174 https://access.redhat.com/errata/RHSA-2022:1174
Comment 21 errata-xmlrpc 2022-05-05 07:53:11 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.3

Via RHSA-2022:1716 https://access.redhat.com/errata/RHSA-2022:1716
Comment 22 Product Security DevOps Team 2022-05-05 13:15:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3524
Note You need to log in before you can comment on or make changes to this bug.