2007451 – rgw: With policy specifying invalid arn, users can list content of any bucket

Bug 2007451 - rgw: With policy specifying invalid arn, users can list content of any bucket

Summary: rgw: With policy specifying invalid arn, users can list content of any bucket

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	4.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	5.0z1
Assignee:	Pritha Srivastava
QA Contact:	Vidushi Mishra
Docs Contact:	Mary Frances Hull
URL:
Whiteboard:
Depends On:
Blocks:	1959686
TreeView+	depends on / blocked

Reported:	2021-09-23 21:57 UTC by Matt Benjamin (redhat)
Modified:	2023-09-15 01:15 UTC (History)
CC List:	13 users (show)
Fixed In Version:	ceph-16.2.0-134.el8cp
Doc Type:	Bug Fix
Doc Text:	.Policies with invalid Amazon resource name elements no longer lead to privilege escalations Previously, incorrect handling of invalid Amazon resource name (ARN) elements in IAM policy documents, such as bucket policies, can cause unintentional permissions granted to users who are not part of the policy. With this release, this fix prevents storing policies with invalid ARN elements, or if already stored, correctly evaluates the policies.
Clone Of:	2007335
Environment:
Last Closed:	2021-11-02 16:39:21 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHCEPH-1877	0	None	None	None	2021-09-23 22:00:12 UTC
Red Hat Product Errata	RHBA-2021:4105	0	None	None	None	2021-11-02 16:39:47 UTC

Comment 10 errata-xmlrpc 2021-11-02 16:39:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 5.0 Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4105

Comment 11 Red Hat Bugzilla 2023-09-15 01:15:26 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.