Bug 1840744 (CVE-2020-10753) - CVE-2020-10753 ceph: radosgw: HTTP header injection via CORS ExposeHeader tag
Summary: CVE-2020-10753 ceph: radosgw: HTTP header injection via CORS ExposeHeader tag
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10753
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1841204 1841205 1842369 1851206
Blocks: 1838025
TreeView+ depends on / blocked
 
Reported: 2020-05-27 14:23 UTC by Przemyslaw Roguski
Modified: 2021-02-16 19:58 UTC (History)
31 users (show)

Fixed In Version: ceph 14.2.10, ceph 15.2.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made.
Clone Of:
Environment:
Last Closed: 2020-07-20 19:27:41 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3003 0 None None None 2020-07-20 14:20:58 UTC
Red Hat Product Errata RHSA-2020:3504 0 None None None 2020-08-18 18:05:56 UTC
Red Hat Product Errata RHSA-2020:3505 0 None None None 2020-08-18 18:02:23 UTC

Description Przemyslaw Roguski 2020-05-27 14:23:35 UTC
It was reported that "newline" character in the CORS xml configuration file in the ExposeHeader tag can lead to the header injection attack.
When the CORS request is made the response contain the injected header. Using newline characters injected into the HTTP headers, it is possible for the malicious user to add arbitrary headers such as Set-Cookie to set arbitrary cookies.

This impacts the RHCS RadosGW S3 API.
For example malicious user could create a publicly-accessible S3 bucket with such CORS configuration and anyone that accessed that bucket would have these headers injected.

Comment 2 Przemyslaw Roguski 2020-05-27 14:23:40 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 7 Przemyslaw Roguski 2020-05-28 14:04:46 UTC
Added all affected products.
Ceph package contains affected radosgw component.

Comment 8 Przemyslaw Roguski 2020-05-28 15:53:00 UTC
ceph-2 is also affected, but as the impact is moderate, ceph-2 marked as ooss

Comment 11 Przemyslaw Roguski 2020-05-29 15:00:35 UTC
Acknowledgments:

Name: Adam Mohammed (Linode)
Upstream: William Bowling

Comment 16 Summer Long 2020-06-02 00:23:03 UTC
Statement:

* Red Hat Ceph Storage (RHCS) 3 and 4 are affected by this vulnerability. Note: although this issue affects the RadosGW S3 API, it does not affect the Swift API.
* Red Hat Openshift Container Storage( RHOCS) 4.2 is affected by this flaw. However, because RHOCS 4.2 is now in the Maintenance Phase of support, this issue is not currently planned to be addressed in future updates.
* Red Hat OpenStack Platform (RHOSP) 13 is not affected by this flaw because RHOSP 13 only ships the ceph client libraries and does not build server code.

Comment 18 Przemyslaw Roguski 2020-06-25 18:50:57 UTC
Upstream PR: https://github.com/ceph/ceph/pull/35773

Comment 19 Przemyslaw Roguski 2020-06-25 18:55:32 UTC
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1851206]

Comment 20 Hardik Vyas 2020-06-26 15:04:23 UTC
Upstream patch:

[14.2.10] https://github.com/ceph/ceph/commit/46817f30cee60bc5df8354ab326762e7c783fe2c

Comment 21 Przemyslaw Roguski 2020-06-29 07:12:44 UTC
External References:

https://ceph.io/releases/v14-2-10-nautilus-released/

Comment 22 errata-xmlrpc 2020-07-20 14:20:55 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.1

Via RHSA-2020:3003 https://access.redhat.com/errata/RHSA-2020:3003

Comment 23 Product Security DevOps Team 2020-07-20 19:27:41 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10753

Comment 24 errata-xmlrpc 2020-08-18 18:02:21 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3 for Red Hat Enterprise Linux 7

Via RHSA-2020:3505 https://access.redhat.com/errata/RHSA-2020:3505

Comment 25 errata-xmlrpc 2020-08-18 18:05:54 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3.3

Via RHSA-2020:3504 https://access.redhat.com/errata/RHSA-2020:3504


Note You need to log in before you can comment on or make changes to this bug.