Bug 1389193 (CVE-2016-8626) - CVE-2016-8626 Ceph: RGW Denial of Service by sending null or specially crafted POST object requests
Summary: CVE-2016-8626 Ceph: RGW Denial of Service by sending null or specially crafte...
Status: CLOSED ERRATA
Alias: CVE-2016-8626
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20161020,repor...
Keywords: Security
Depends On: 1389199
Blocks: 1387332 1389198 1394936
TreeView+ depends on / blocked
 
Reported: 2016-10-27 07:25 UTC by Siddharth Sharma
Modified: 2019-06-08 21:33 UTC (History)
23 users (show)

(edit)
A flaw was found in the way Ceph Object Gateway handles POST object requests. An authenticated attacker could launch a denial of service attack by sending null or specially crafted POST object requests.
Clone Of:
(edit)
Last Closed: 2016-12-01 22:38:59 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2815 normal SHIPPED_LIVE Moderate: Red Hat Ceph Storage security, bug fix, and enhancement update 2017-03-22 02:06:33 UTC
Red Hat Product Errata RHSA-2016:2816 normal SHIPPED_LIVE Moderate: Red Hat Ceph Storage security, bug fix, and enhancement update 2016-11-23 00:22:26 UTC
Red Hat Product Errata RHSA-2016:2847 normal SHIPPED_LIVE Moderate: Red Hat Ceph Storage 1.3 security, bug fix, and enhancement update 2016-12-02 02:38:33 UTC
Red Hat Product Errata RHSA-2016:2848 normal SHIPPED_LIVE Moderate: Red Hat Ceph Storage 1.3 security, bug fix, and enhancement update 2016-12-02 03:04:31 UTC

Description Siddharth Sharma 2016-10-27 07:25:06 UTC
Description:

A Flaw was found using which authenticated attacker can send post object with null conditions to ceph rados gateway which would lead to crash of ceph-radosgw service resulting in Denial of Service.

http://tracker.ceph.com/issues/17635
https://bugzilla.redhat.com/show_bug.cgi?id=1387332

Comment 1 Siddharth Sharma 2016-10-27 07:26:22 UTC
Workaround:

1. By default system will use /etc/init.d/ceph-radosgw
   stop this service by

~]# /etc/init.d/ceph-radosgw stop

2. Create systemd service, change command line params according to the environment
where Ceph radosgw is running.

~]# cat /usr/lib/systemd/system/ceph-rgw.service 
[Unit]
Description=Ceph RGW daemon

[Service]
Type=forking
ExecStart=/bin/radosgw -n client.rgw.$(HOSTNAME REDACTED)
Restart=on-abnormal
RestartSec=1s

[Install]
WantedBy=multi-user.target

3. Run systemd service 'ceph-rgw.service'

Caveat: It still takes +1-2 sec to get service back online. Attacker has to know bucket-name and for that attacker must be authenticated so if service get a lot of such requests user/attacker can be blocked by revoking access to service.

Comment 8 errata-xmlrpc 2016-11-22 19:24:12 UTC
This issue has been addressed in the following products:

 Red Hat Ceph Storage 2 for Ubuntu 16.04

Via RHSA-2016:2816 https://rhn.redhat.com/errata/RHSA-2016-2816.html

Comment 9 errata-xmlrpc 2016-11-22 19:33:11 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 2 for RHEL 7

Via RHSA-2016:2815 https://rhn.redhat.com/errata/RHSA-2016-2815.html

Comment 12 errata-xmlrpc 2016-12-01 21:39:14 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 1.3 for RHEL 7

Via RHSA-2016:2847 https://rhn.redhat.com/errata/RHSA-2016-2847.html

Comment 13 errata-xmlrpc 2016-12-01 22:04:40 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 1.3 for Ubuntu 14.04

Via RHSA-2016:2848 https://rhn.redhat.com/errata/RHSA-2016-2848.html


Note You need to log in before you can comment on or make changes to this bug.