2215374 – (CVE-2023-46159) CVE-2023-46159 ceph: RGW crash upon misconfigured CORS rule

Bug 2215374 (CVE-2023-46159) - CVE-2023-46159 ceph: RGW crash upon misconfigured CORS rule

Summary: CVE-2023-46159 ceph: RGW crash upon misconfigured CORS rule

Keywords:
Status:	NEW
Alias:	CVE-2023-46159
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2215379 2215378 2215380 2215381 2215382 2215383 2215384 2215385 2215386
Blocks:	2215376
TreeView+	depends on / blocked

Reported:	2023-06-15 18:56 UTC by Guilherme de Almeida Suckevicz
Modified:	2024-03-20 10:34 UTC (History)
CC List:	26 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Ceph. Certain misconfigurations of CORS rules in Ceph could result in a significantly large memory allocation. This issue can lead to RGW crashing and a denial of service from an authenticated user on the network.
Clone Of:
Environment:
Last Closed:	2023-10-03 05:45:30 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:0745	0	None	None	None	2024-02-08 16:49:43 UTC

Description Guilherme de Almeida Suckevicz 2023-06-15 18:56:11 UTC

In certain cases, where a user misconfigures a CORS rule, the entirety of the string can be token characters (or, at least, the string before and after a given token is all token characters), but != "*". If the misconfigured string includes "*" we'll try to split the string and we assume that we can pop the list of string elements when "*" isn't first/last, but get_str_list() won't return anything for token-only substrings and thus 'ssplit' will have fewer elements than would be expected for a correct rule. In the case of an empty list, front() has undefined behaviour; in our experience, it often results in a huge allocation attempt because the code tries to copy the string into a
local variable 'sl'.

An example of this misconfiguration (and thus a reproduction case) is configuring an origin of " *".

Comment 7 errata-xmlrpc 2024-02-08 16:49:40 UTC

This issue has been addressed in the following products:

  Red Hat Ceph Storage 5.3

Via RHSA-2024:0745 https://access.redhat.com/errata/RHSA-2024:0745

Note You need to log in before you can comment on or make changes to this bug.

ahanwate
amctagga
aoconnor
bniver
branto
dhughes
eglynn
flucifre
gfidente
gmeno
jdurgin
jjoyce
jschluet
lhh
mbenjamin
mburns
mgarciac
mhackett
mhicks
muagarwa
odf-bz-bot
pgrist
rcyriac
security-response-team
sostapov
vereddy