Bug 1403245 (CVE-2016-9579) - CVE-2016-9579 ceph: Object Gateway server DoS by sending invalid cross-origin HTTP request
Summary: CVE-2016-9579 ceph: Object Gateway server DoS by sending invalid cross-origin...
Status: CLOSED ERRATA
Alias: CVE-2016-9579
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20161208,repor...
Keywords: Security
Depends On: 1403003 1403007 1403246 1403247 1404375
Blocks: 1403250
TreeView+ depends on / blocked
 
Reported: 2016-12-09 14:01 UTC by Andrej Nemec
Modified: 2019-06-08 21:39 UTC (History)
31 users (show)

(edit)
A flaw was found in the way Ceph Object Gateway would process cross-origin HTTP requests if the CORS policy was set to allow origin on a bucket. A remote unauthenticated attacker could use this flaw to cause denial of service by sending a specially-crafted cross-origin HTTP request.
Clone Of:
(edit)
Last Closed: 2016-12-21 17:35:31 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2954 normal SHIPPED_LIVE Moderate: Red Hat Ceph Storage 2.1 security and bug fix update 2017-03-22 02:06:31 UTC
Red Hat Product Errata RHSA-2016:2956 normal SHIPPED_LIVE Moderate: Red Hat Ceph Storage 2.1 security and bug fix update 2016-12-15 23:02:58 UTC
Red Hat Product Errata RHSA-2016:2994 normal SHIPPED_LIVE Moderate: Red Hat Ceph Storage 1.3 security update 2016-12-21 21:52:39 UTC
Red Hat Product Errata RHSA-2016:2995 normal SHIPPED_LIVE Moderate: Red Hat Ceph Storage 1.3 security and bug fix update 2016-12-21 22:15:57 UTC

Description Andrej Nemec 2016-12-09 14:01:48 UTC
An anonymous user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules.  The abort() is caused by an unhandled out-of-range exception matching the header with the supplied Origin header value.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1403003

Upstream bug:

http://tracker.ceph.com/issues/18187

Comment 1 Andrej Nemec 2016-12-09 14:02:51 UTC
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1403246]
Affects: epel-all [bug 1403247]

Comment 2 Siddharth Sharma 2016-12-13 15:04:56 UTC
Workaround:

1. By default system will use /etc/init.d/ceph-radosgw
   stop this service by

~]# /etc/init.d/ceph-radosgw stop

2. Create systemd service, change command line params according to the environment
where Ceph radosgw is running.

~]# cat /usr/lib/systemd/system/ceph-rgw.service 
[Unit]
Description=Ceph RGW daemon

[Service]
Type=forking
ExecStart=/bin/radosgw -n client.rgw.$(HOSTNAME REDACTED)
Restart=on-abnormal
RestartSec=1s

[Install]
WantedBy=multi-user.target

3. Run systemd service 'ceph-rgw.service'


Anonymous attacker should know name of the bucket to trigger this Remote DoS. Firewall can be set only to accept requests from white listed IP addresses.
Limiting connections to Ceph Object Gateway would lower down risk of remote DoS.

Comment 4 errata-xmlrpc 2016-12-15 16:49:50 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 2 for Red Hat Enterprise Linux 7

Via RHSA-2016:2954 https://rhn.redhat.com/errata/RHSA-2016-2954.html

Comment 5 errata-xmlrpc 2016-12-15 18:03:07 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 2 for Ubuntu 16.04

Via RHSA-2016:2956 https://rhn.redhat.com/errata/RHSA-2016-2956.html

Comment 6 errata-xmlrpc 2016-12-21 16:53:00 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 1.3 for Red Hat Enterprise Linux 7

Via RHSA-2016:2994 https://rhn.redhat.com/errata/RHSA-2016-2994.html

Comment 7 errata-xmlrpc 2016-12-21 17:16:07 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 1.3 for Ubuntu 14.04

Via RHSA-2016:2995 https://rhn.redhat.com/errata/RHSA-2016-2995.html


Note You need to log in before you can comment on or make changes to this bug.