A POST request with an invalid tagging XML can crash the RGW process, this issue affects ceph v13.2.9 as well as previous v13.2.x(Mimic releases) and all v12.2.x(Luminous releases). Originally reported at https://tracker.ceph.com/issues/44967
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
External References: https://ceph.io/releases/v13-2-10-mimic-released/
Upstream patch : https://github.com/ceph/ceph/commit/375d926a4f2720a29b079c216bafb884eef985c3 [v13.2.10]
Statement: This issue affects the versions of ceph as shipped with Red Hat Ceph Storage 3, as it does not validate the parameter when reading the tagging field from POST obj XML. Red Hat OpenStack Platform 13 provides only the ceph client library and is not affected by this vulnerability.
This issue has been addressed in the following products: Red Hat Ceph Storage 3 - ELS Via RHSA-2021:1518 https://access.redhat.com/errata/RHSA-2021:1518
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12059