https://github.com/ceph/ceph/security/advisories/GHSA-5g9m-mmp6-93mq Summary below: Description Summary It is possible to bypass the CEPH rados authentication gw by proving an JWT as demonstrated in the PoC. In this case Keycloak is used as IdP. This was found during a penetration test. Please assign CVE and credit me as finding this vulnerability. Do not mention the customer/organisation in public reports etc. Details has also been provided to security before. As always, please fix this within 90 days as we plan to go public. Details It is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is probably in the RadosGW OIDC provider. PoC The HTTP request can be found below. But without the JWT: POST / HTTP/2 Host: storage.xxx.se User-Agent: aws-sdk-go-v2/1.18.0 os/macos lang/go/1.21.1 X:nocoverageredesign md/GOOS/darwin md/GOARCH/arm64 api/sts/1.19.0 Content-Type: application/x-www-form-urlencoded Amz-Sdk-Invocation-Id: 30a74697-7d7e-4c02-b041-97d68156ee78 Amz-Sdk-Request: attempt=1; max=3 Content-Length: 1508 Accept-Encoding: gzip, deflate, br Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&RoleArn=arn%3Aaws%3Aiam%3A%3Aorg_pentest002%3Arole%2Fu-pentest002STS&RoleSessionName=test&Version=2011-06-15&WebIdentityToken=ey.. Impact This was found during a penetration test. Please assign CVE and credit me as finding this vulnerability. We can also request CVE from Mitre.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat Ceph Storage 8.0 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:10956
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days