1372446 – (CVE-2016-7031) CVE-2016-7031 ceph: RGW permits bucket listing when authenticated_users=read

Bug 1372446 (CVE-2016-7031) - CVE-2016-7031 ceph: RGW permits bucket listing when authenticated_users=read

Summary: CVE-2016-7031 ceph: RGW permits bucket listing when authenticated_users=read

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-7031
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1372572
Blocks:	1372443
TreeView+	depends on / blocked

Reported:	2016-09-01 18:22 UTC by Siddharth Sharma
Modified:	2019-09-29 13:55 UTC (History)
CC List:	20 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-09-29 14:35:37 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1372438	unspecified	CLOSED	RGW permits bucket listing when authenticated_users=read	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHSA-2016:1972	normal	SHIPPED_LIVE	Moderate: Red Hat Ceph Storage 1.3.3 security, bug fix, and enhancement update	2016-09-29 16:51:21 UTC
Red Hat Product Errata	RHSA-2016:1973	normal	SHIPPED_LIVE	Moderate: Red Hat Ceph Storage 1.3.3 security, bug fix, and enhancement update	2016-09-29 17:11:28 UTC

Internal Links: 1372438

Description Siddharth Sharma 2016-09-01 18:22:03 UTC

Description of problem:

An anonymous S3 user may be able to (incorrectly) list the contents of a bucket which has an authenticated_users=read ACL.


Version-Release number of selected component (if applicable):
1.3.x


Additional info:
This issue corresponds to upstream tracker issue
http://tracker.ceph.com/issues/13207

Fixed on master in
https://github.com/ceph/ceph/pull/6057

Comment 4 errata-xmlrpc 2016-09-29 13:00:51 UTC

This issue has been addressed in the following products:

  Red Hat Ceph Storage 1.3 for RHEL 7

Via RHSA-2016:1972 https://rhn.redhat.com/errata/RHSA-2016-1972.html

Comment 5 errata-xmlrpc 2016-09-29 13:14:50 UTC

This issue has been addressed in the following products:

  Red Hat Ceph Storage 1.3 for Ubuntu

Via RHSA-2016:1973 https://rhn.redhat.com/errata/RHSA-2016-1973.html

Note You need to log in before you can comment on or make changes to this bug.

aortega
apevec
ayoung
ceph-eng-bugs
chrisw
cvsbot-xmlrpc
jschluet
kbasil
lars
lhh
lpeer
markmc
mburns
rbryant
rhos-maint
sclewis
sisharma
slong
srevivo
tdecacqu