If the attacker knows the path to a publicly readable object on any RGW cluster and the object is at least large enough to cover the attack body there it's possible to run an XSS on any object.
Mitigation: * Mitigation provided by DigitalOcean: Mitigation relies on the HAProxy load-balancers in front of RGW, and uses HAProxy ACLs combined with in-house Lua embedded in HAProxy. 1. Detect usage of the query-parameters without any signature (either pre-signed or header), and return S3-formatted error. 2. Validate the content in the query-parameters, return S3-formatted error. HAProxy mitigation: === acl req_s3_GetObject REDACTED ## redacted uses internal Lua to detect GetObject acl has_accesskey REDACTED ## redacted uses internal Lua to detect & validate signature # detection 1, QPs present acl req_s3_GetObject_urlp_response url_param(response-cache-control) -m found acl req_s3_GetObject_urlp_response url_param(response-expires) -m found acl req_s3_GetObject_urlp_response url_param(response-content-disposition) -m found acl req_s3_GetObject_urlp_response url_param(response-content-encoding) -m found acl req_s3_GetObject_urlp_response url_param(response-content-language) -m found acl req_s3_GetObject_urlp_response url_param(response-content-type) -m found # detection 2, QPs containing unprintable ascii incl CRLR acl req_s3_GetObject_urlp_response_crlf url_param(response-cache-control) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f acl req_s3_GetObject_urlp_response_crlf url_param(response-expires) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f acl req_s3_GetObject_urlp_response_crlf url_param(response-content-disposition) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f acl req_s3_GetObject_urlp_response_crlf url_param(response-content-encoding) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f acl req_s3_GetObject_urlp_response_crlf url_param(response-content-language) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f acl req_s3_GetObject_urlp_response_crlf url_param(response-content-type) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f # block for detection 1 http-request use-service lua.REDACTED if req_s3_GetObject req_s3_GetObject_urlp_response !has_accesskey # block for detection 2 http-request use-service lua.REDACTED if req_s3_GetObject req_s3_GetObject_urlp_response_crlf ===
Acknowledgments: Name: Robin H. Johnson (DigitalOcean) Upstream: William Bowling
Created ceph tracking bugs for this issue: Affects: fedora-all [bug 1821587]
Upstream Patches: https://github.com/ceph/ceph-ci/commit/8aa1f77363ec32bdc57744a143035033291ab5e1 https://github.com/ceph/ceph-ci/commit/18eb4d918b27d362312c29a3bbd57a421897c0a5 https://github.com/ceph/ceph-ci/commit/1bf14094fec34770d2cc74317f4238ccb2dfef98 The patches are currently available from ceph.git clone(ceph-ci) and will be pushed to active releases soon.
Statement: Red Hat OpenStack Platform 15 (RHOSP) packages Ceph but no longer uses it, instead pulling ceph directly from the Red Hat Ceph Storage 4 repository. For this reason, RHOSP will not be updated for this flaw. This issue affects the versions of ceph as shipped with Red Hat Ceph Storage 3, 4 and Red Hat Openshift Container Storage 4.2 as it allows unauthenticated requests sent by an anonymous user for Amazon S3.
External References: https://www.openwall.com/lists/oss-security/2020/04/07/1
Patches are merged in upstream Octopus version 15.2.1 via PR https://github.com/ceph/ceph/pull/34482 https://github.com/ceph/ceph/commit/8f90658c731499722d5f4393c8ad70b971d05f77 https://github.com/ceph/ceph/commit/92da834cababc4dddd5dbbab5837310478d1e6d4 https://github.com/ceph/ceph/commit/be7679007c3dfab3e19c22c38c36ccac91828e3b
Nautilus fixes v14.2.9: https://github.com/ceph/ceph/commit/fce0b267446d6f3f631bb4680ebc3527bbbea002 https://github.com/ceph/ceph/commit/87a63d1743ec6428b43cc5a5977fa5e90f50b7ed https://github.com/ceph/ceph/commit/c7da604cb101cbe78a257a29498a98c69964e0a6
Mimic fixes v13.2.9: https://github.com/ceph/ceph/commit/ba0790a01ba5252db1ebc299db6e12cd758d0ff9 https://github.com/ceph/ceph/commit/607a65fccd8a80c2f2c74853a6dc5c14ed8a75c1 https://github.com/ceph/ceph/commit/9ca5b3628245e2878426602bb24f1a4e45edc850
This issue has been addressed in the following products: Red Hat Ceph Storage 4.1 Via RHSA-2020:3003 https://access.redhat.com/errata/RHSA-2020:3003
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1760