Bug 1007217 - (CVE-2016-8626) VUL-0: CVE-2016-8626: ceph: RGW Denial of Service by sending POST object with null conditions
VUL-0: CVE-2016-8626: ceph: RGW Denial of Service by sending POST object with...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2016-10-27 09:25 UTC by Johannes Segitz
Modified: 2018-04-26 22:36 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-10-27 09:25:51 UTC

Flaw was found using which attacker can send post object with null conditions
to ceph rados gateway which would lead to crash of ceph-radosgw service resulting
Denial of Service.

Submit that fixes this and reproducer script available at: http://tracker.ceph.com/issues/17635

Comment 1 Swamp Workflow Management 2016-10-27 22:00:57 UTC
bugbot adjusting priority
Comment 2 Nathan Cutler 2016-11-07 10:04:23 UTC
Upstream status

The jewel fix is https://github.com/ceph/ceph/pull/11662 which has been merged upstream and will be included in the upcoming 10.2.4 release.

The hammer fix is https://github.com/ceph/ceph/pull/11809 which has been staged, but not yet merged. Still, I hope to get it into the upcoming 0.94.10 release.

Downstream status

SES4: fix has been merged and will be in M6

SES3: fix will be included in the next maintenance update (as soon as upstream releases 10.2.4)

SES2.1: fix will be included in the next maintenance update (as soon as upstream releases 0.94.10 and assuming there are no unexpected difficulties getting the upstream fix merged in time)
Comment 3 Nathan Cutler 2016-11-23 05:35:10 UTC
Upstream update: hammer backport was just merged and will be included in 0.94.10
Comment 4 Nathan Cutler 2016-12-15 15:54:47 UTC
The patch just made it into our downstream ses3 branch. Assuming the updated branch builds and passes our CI, it will be submitted as a maintenance update to SES3.

SES2.1 is still a WIP.
Comment 8 Swamp Workflow Management 2017-03-20 20:08:18 UTC
SUSE-SU-2017:0758-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1007217,1008435,1008894,1012100,1014338,1015748,1019616
CVE References: CVE-2016-8626
Sources used:
SUSE Enterprise Storage 3 (src):    ceph-10.2.5+git.1485186288.4e3c6c4-12.2, ceph-test-10.2.5+git.1485186288.4e3c6c4-12.2
Comment 9 Marcus Meissner 2017-10-24 12:53:24 UTC
was released for storage 4 (but without this tracker bug being referenced), 10.2.5 ceph version is fixed.
Comment 11 Johannes Segitz 2018-04-26 15:15:15 UTC
adjusted tracking to exclude SUSE:SLE-11-SP3:Update