An anonymous user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules. The abort() is caused by an unhandled out-of-range exception matching the header with the supplied Origin header value. Product bug: https://bugzilla.redhat.com/show_bug.cgi?id=1403003 Upstream bug: http://tracker.ceph.com/issues/18187
Created ceph tracking bugs for this issue: Affects: fedora-all [bug 1403246] Affects: epel-all [bug 1403247]
Workaround: 1. By default system will use /etc/init.d/ceph-radosgw stop this service by ~]# /etc/init.d/ceph-radosgw stop 2. Create systemd service, change command line params according to the environment where Ceph radosgw is running. ~]# cat /usr/lib/systemd/system/ceph-rgw.service [Unit] Description=Ceph RGW daemon [Service] Type=forking ExecStart=/bin/radosgw -n client.rgw.$(HOSTNAME REDACTED) Restart=on-abnormal RestartSec=1s [Install] WantedBy=multi-user.target 3. Run systemd service 'ceph-rgw.service' Anonymous attacker should know name of the bucket to trigger this Remote DoS. Firewall can be set only to accept requests from white listed IP addresses. Limiting connections to Ceph Object Gateway would lower down risk of remote DoS.
This issue has been addressed in the following products: Red Hat Ceph Storage 2 for Red Hat Enterprise Linux 7 Via RHSA-2016:2954 https://rhn.redhat.com/errata/RHSA-2016-2954.html
This issue has been addressed in the following products: Red Hat Ceph Storage 2 for Ubuntu 16.04 Via RHSA-2016:2956 https://rhn.redhat.com/errata/RHSA-2016-2956.html
This issue has been addressed in the following products: Red Hat Ceph Storage 1.3 for Red Hat Enterprise Linux 7 Via RHSA-2016:2994 https://rhn.redhat.com/errata/RHSA-2016-2994.html
This issue has been addressed in the following products: Red Hat Ceph Storage 1.3 for Ubuntu 14.04 Via RHSA-2016:2995 https://rhn.redhat.com/errata/RHSA-2016-2995.html