It was reported that "newline" character in the CORS xml configuration file in the ExposeHeader tag can lead to the header injection attack.
When the CORS request is made the response contain the injected header. Using newline characters injected into the HTTP headers, it is possible for the malicious user to add arbitrary headers such as Set-Cookie to set arbitrary cookies.
This impacts the RHCS RadosGW S3 API.
For example malicious user could create a publicly-accessible S3 bucket with such CORS configuration and anyone that accessed that bucket would have these headers injected.
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Added all affected products.
Ceph package contains affected radosgw component.
ceph-2 is also affected, but as the impact is moderate, ceph-2 marked as ooss
Name: Adam Mohammed (Linode)
Upstream: William Bowling
* Red Hat Ceph Storage (RHCS) 3 and 4 are affected by this vulnerability. Note: although this issue affects the RadosGW S3 API, it does not affect the Swift API.
* Red Hat Openshift Container Storage( RHOCS) 4.2 is affected by this flaw. However, because RHOCS 4.2 is now in the Maintenance Phase of support, this issue is not currently planned to be addressed in future updates.
* Red Hat OpenStack Platform (RHOSP) 13 is not affected by this flaw because RHOSP 13 only ships the ceph client libraries and does not build server code.
Upstream PR: https://github.com/ceph/ceph/pull/35773
Created ceph tracking bugs for this issue:
Affects: fedora-all [bug 1851206]