Bug 1007217 – VUL-0: CVE-2016-8626: ceph: RGW Denial of Service by sending POST object with null conditions

Bug 1007217 - (CVE-2016-8626) VUL-0: CVE-2016-8626: ceph: RGW Denial of Service by sending POST object with null conditions

(CVE-2016-8626)
Summary:	VUL-0: CVE-2016-8626: ceph: RGW Denial of Service by sending POST object with...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/174172/
Whiteboard:	CVSSv2:SUSE:CVE-2016-8626:6.3:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-10-27 09:25 UTC by Johannes Segitz
Modified:	2018-04-26 22:36 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-10-27 09:25:51 UTC

rh#1389193

Flaw was found using which attacker can send post object with null conditions
to ceph rados gateway which would lead to crash of ceph-radosgw service resulting
Denial of Service.

Submit that fixes this and reproducer script available at: http://tracker.ceph.com/issues/17635

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1389193
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8626

Comment 1 Swamp Workflow Management 2016-10-27 22:00:57 UTC

bugbot adjusting priority

Comment 2 Nathan Cutler 2016-11-07 10:04:23 UTC

Upstream status
===============

The jewel fix is https://github.com/ceph/ceph/pull/11662 which has been merged upstream and will be included in the upcoming 10.2.4 release.

The hammer fix is https://github.com/ceph/ceph/pull/11809 which has been staged, but not yet merged. Still, I hope to get it into the upcoming 0.94.10 release.


Downstream status
=================

SES4: fix has been merged and will be in M6

SES3: fix will be included in the next maintenance update (as soon as upstream releases 10.2.4)

SES2.1: fix will be included in the next maintenance update (as soon as upstream releases 0.94.10 and assuming there are no unexpected difficulties getting the upstream fix merged in time)

Comment 3 Nathan Cutler 2016-11-23 05:35:10 UTC

Upstream update: hammer backport was just merged and will be included in 0.94.10

Comment 4 Nathan Cutler 2016-12-15 15:54:47 UTC

The patch just made it into our downstream ses3 branch. Assuming the updated branch builds and passes our CI, it will be submitted as a maintenance update to SES3.

SES2.1 is still a WIP.

Comment 8 Swamp Workflow Management 2017-03-20 20:08:18 UTC

SUSE-SU-2017:0758-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1007217,1008435,1008894,1012100,1014338,1015748,1019616
CVE References: CVE-2016-8626
Sources used:
SUSE Enterprise Storage 3 (src):    ceph-10.2.5+git.1485186288.4e3c6c4-12.2, ceph-test-10.2.5+git.1485186288.4e3c6c4-12.2

Comment 9 Marcus Meissner 2017-10-24 12:53:24 UTC

was released for storage 4 (but without this tracker bug being referenced), 10.2.5 ceph version is fixed.

Comment 11 Johannes Segitz 2018-04-26 15:15:15 UTC

adjusted tracking to exclude SUSE:SLE-11-SP3:Update