Bug 1781170 (CVE-2019-19337) - CVE-2019-19337 ceph: denial of service in RGW daemon
Summary: CVE-2019-19337 ceph: denial of service in RGW daemon
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-19337
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1781239
Blocks: 1781094
TreeView+ depends on / blocked
 
Reported: 2019-12-09 13:19 UTC by Siddharth Sharma
Modified: 2021-02-16 20:55 UTC (History)
26 users (show)

Fixed In Version: ceph-12.2.12-83.el7cp ceph_12.2.12-76redhat1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the Ceph RADOS Gateway daemon handles S3 requests. An authenticated attacker can abuse this flaw by causing a remote denial of service by sending a specially crafted HTTP Content-Length header to the Ceph RADOS Gateway server.
Clone Of:
Environment:
Last Closed: 2019-12-19 20:09:36 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:4353 0 None None None 2019-12-19 17:58:50 UTC
Red Hat Product Errata RHSA-2019:4357 0 None None None 2019-12-19 18:27:02 UTC

Description Siddharth Sharma 2019-12-09 13:19:03 UTC 
A flaw was found in the way the Ceph RADOS Gateway daemon handles S3 requests. An authenticated attacker can abuse this flaw by causing a remote denial of service by sending a specially crafted HTTP Content-Length header to the Ceph RADOS Gateway server.
Comment 3 Siddharth Sharma 2019-12-13 11:04:31 UTC 
Mitigation:

1. By default system will use /etc/init.d/ceph-radosgw, stop this service by
~]# /etc/init.d/ceph-radosgw stop

2. Create systemd service, and change command line parameters according to the environment where Ceph radosgw is running.

~]# cat /usr/lib/systemd/system/ceph-rgw.service
[Unit]
Description=Ceph RGW daemon

[Service]
Type=forking
ExecStart=/bin/radosgw -n client.rgw.$(HOSTNAME REDACTED)
Restart=on-abnormal
RestartSec=1s

[Install]
WantedBy=multi-user.target

3. Run systemd service 'ceph-rgw.service'

Caveat: It still takes +1-2 sec to get service back online. After applying above mentioned mitigation, the malicious IP can be blocked by a firewall rule if there are continuous attempts to launch remote denial of service. This mitigation is of limited use if the attack is launched from multiple IPs. It is recommended to limit the exposure of ceph RGW server to known clients.
Comment 5 errata-xmlrpc 2019-12-19 17:58:49 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3.3

Via RHSA-2019:4353 https://access.redhat.com/errata/RHSA-2019:4353
Comment 6 errata-xmlrpc 2019-12-19 18:27:00 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3 for Red Hat Enterprise Linux 7

Via RHSA-2019:4357 https://access.redhat.com/errata/RHSA-2019:4357
Comment 7 Product Security DevOps Team 2019-12-19 20:09:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19337
Comment 10 Anten Skrabec 2020-01-10 20:10:44 UTC 
Statement:

This flaw only affects Red Hat Ceph Storage 3, upstream versions of ceph are not affected.

The ceph package distributed by Red Hat Enterprise Linux 7 and 8 are not affected by this issue, as it doesn't ship any server-side library.

Red Hat OpenStack now consumes fixes directly from the base ceph channels . Therefore the ceph package provided by Red Hat OpenStack 13 has been marked as 'will not fix'.
Note You need to log in before you can comment on or make changes to this bug.