A flaw was found in the way the ListBucket function max-keys has no defined limit in the RGW codebase. An authenticated ceph RGW user can cause a denial of service attack against OMAPs holding bucked indices.
RGW S3 listing operations provided a way for authenticated users to cause a denial of service against OMAPs holding bucket indices.
Created ceph tracking bugs for this issue:
Affects: fedora-all [bug 1665973]