Bug 1215753 (CVE-2023-43040)

Summary: VUL-0: CVE-2023-43040: ceph: improperly verified POST keys
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: E-Mail List <ceph-bugs>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: cathy.hu, ceph-bugs, mgolub, stoyan.manolov, tserong
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/379853/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-43040:7.1:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-09-27 09:11:06 UTC 
An unprivileged user can write to any bucket(s) accessible by a given key if a POST’s form-data contains a key called ‘bucket’ with a value matching the name of the bucket used to sign the request. The result of this is that a user could actually upload to any bucket accessible by the specified access key as long as the bucket in the POST policy matches the bucket in said POST form part.

Fix this simply by setting the bucket to the correct value after the POST form parts are processed, ignoring the form part above if specified.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43040
https://bugzilla.redhat.com/show_bug.cgi?id=2216855
https://seclists.org/oss-sec/2023/q3/239
Comment 2 Mykola Golub 2023-09-29 08:29:49 UTC 
The upstream created a tracker ticket for this: https://tracker.ceph.com/issues/63004

PR for the main branch: https://tracker.ceph.com/issues/63004

Backport PRs will be created after the fix is merged to the main branch.
Comment 3 Mykola Golub 2023-09-29 08:32:36 UTC 
(In reply to Mykola Golub from comment #2)

> PR for the main branch: https://tracker.ceph.com/issues/63004

Sorry, wrong copy&past. It should have been https://github.com/ceph/ceph/pull/53714
Comment 5 Tim Serong 2023-10-23 08:15:14 UTC 
The patch is in the upstream Pacific backport queue (https://github.com/ceph/ceph/pull/53758).  This should thus land in the next upstream Pacific release (16.2.15), which we will then use for our next downstream maintenance update.

Note that this issue only affects the RGW server code, which isn't shipped in any of the SLE basesystem repos.  It's only shipped in SUSE:SLE-15-SP3:Update:Products:SES7:Update/ceph and openSUSE:Factory.