Bug 1185619 - (CVE-2021-3524) VUL-0: CVE-2021-3524: ceph: ceph object gateway: radosgw: CRLF injection
(CVE-2021-3524)
VUL-0: CVE-2021-3524: ceph: ceph object gateway: radosgw: CRLF injection
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/283302/
CVSSv3.1:SUSE:CVE-2021-3524:6.5:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-04 14:37 UTC by Gianluca Gabrielli
Modified: 2022-04-06 12:40 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Upstream patch (1.24 KB, patch)
2021-05-10 05:50 UTC, Gianluca Gabrielli
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-05-04 14:37:31 UTC
CVE-2021-3524

It was reported that "newline" character in the CORS xml configuration file in the ExposeHeader tag can lead to the header injection attack.
When the CORS request is made the response contain the injected header. Using newline characters injected into the HTTP headers, it is possible for the malicious user to add arbitrary headers such as Set-Cookie to set arbitrary cookies.

This impacts the RHCS RadosGW S3 API.
For example malicious user could create a publicly-accessible S3 bucket with such CORS configuration and anyone that accessed that bucket would have these headers injected.

In addition, in contrast to the prior fix, \r can be used as a separator, and is not fixed in the prior patch, which only handled \n separators.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1951674
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3524
Comment 1 Gianluca Gabrielli 2021-05-04 14:54:13 UTC
A patch for this bug is not yet available. In the finding description is mentioned another already fixed bug [0], which may be strictly related. About it, it's explained that CVE-2020-10753 only protects against `\n` char and not against `\r`. That partial fix was introduced with this commit [1] (v.14.2.10, v.15.2.4, v.16.1.0, v.17.0.0)

It's not clear if two patches will be released to address both CVEs or only one that will fix both. In the case of two patches, I will follow up on the old CVE from its bugzilla issue [0].

Currently supported ceph packages are:

- SUSE:SLE-11-SP3:Update/ceph    0.80.11
- SUSE:SLE-12-SP2:Update/ceph    10.2.5
- SUSE:SLE-12-SP3:Update/ceph    12.2.13
- SUSE:SLE-15-SP1:Update/ceph    14.2.20.402
- SUSE:SLE-15-SP2:Update/ceph    15.2.11.83
- SUSE:SLE-15:Update/ceph        13.2.4.125
- openSUSE:Factory/ceph          16.2.0.91

[0] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-10753
[1] https://github.com/ceph/ceph/commit/1524d3c0c5cb11775313ea1e2bb36a93257947f2
Comment 2 Nathan Cutler 2021-05-04 15:12:14 UTC
> Currently supported ceph packages are:
> 
> - SUSE:SLE-11-SP3:Update/ceph    0.80.11
> - SUSE:SLE-12-SP2:Update/ceph    10.2.5
> - SUSE:SLE-12-SP3:Update/ceph    12.2.13
> - SUSE:SLE-15-SP1:Update/ceph    14.2.20.402
> - SUSE:SLE-15-SP2:Update/ceph    15.2.11.83
> - SUSE:SLE-15:Update/ceph        13.2.4.125
> - openSUSE:Factory/ceph          16.2.0.91

Not all ceph packages are created equal. Since this is a server-side bug, the fix will not affect codestreams where ceph is carried purely for the purpose of client enablement. That means actually only the following subset of that list needs to be patched to fix this bug:

> - SUSE:SLE-15-SP1:Update/ceph    14.2.20.402
> - SUSE:SLE-15-SP2:Update/ceph    15.2.11.83

since these two are SES6 and SES7, respectively.

In other words, this bug should not be tracked as affecting SLE at all. Only SES.
Comment 3 Gianluca Gabrielli 2021-05-04 15:51:10 UTC
Thanks Nathan for your input, that really helps to address this issue in the proper way. I reflected your suggestions to our tracking system, only SUSE:SLE-15-SP1:Update and SUSE:SLE-15-SP2:Update are now tracked as affected.
Comment 9 Gianluca Gabrielli 2021-05-10 05:50:23 UTC
Created attachment 849177 [details]
Upstream patch
Comment 10 Marcus Meissner 2021-05-14 07:10:04 UTC
is public now.

https://docs.ceph.com/en/latest/releases/octopus/
Comment 11 Marcus Meissner 2021-05-14 07:10:56 UTC
rgw: sanitize r in s3 CORSConfiguration’s ExposeHeader (CVE-2021-3524: HTTP header injects via CORS in RGW, Sergey Bobrov, Casey Bodley)
Comment 12 Gianluca Gabrielli 2021-05-14 08:56:34 UTC
Affected packages:

SUSE:SLE-12-SP3:Update/ceph     12.2.13+git.1609861337.ff66d09906
SUSE:SLE-15:Update/ceph         13.2.4.125+gad802694f5
SUSE:SLE-15-SP1:Update/ceph     14.2.20.402+g6aa76c6815
SUSE:SLE-15-SP2:Update/ceph     15.2.11.83+g8a15f484c2
openSUSE:Factory/ceph           16.2.3.26+g422932e923

Special case for SUSE:SLE-15:Update/ceph because it is also lacking a previous patch [0]. In this case please apply this missing patch first.

Upstream patch [1].

As Nathan explained in comment2, this bug really affects only ceph server installation. But, since the patch is very easy to apply I'd like to ask to patch all the codestreams. Thanks

[0] https://github.com/ceph/ceph/commit/1524d3c0c5cb11775313ea1e2bb36a93257947f2.patch
[1] https://github.com/ceph/ceph/commit/763aebb94678018f89427137ffbc0c5205b1edc1.patch
Comment 13 Nathan Cutler 2021-05-14 09:04:54 UTC
@Gianluca, 

The patches will be applied to all the codestreams you mentioned, except one :-)

Upstream did not issue a fix for this codestream:

SUSE:SLE-12-SP3:Update/ceph     12.2.13+git.1609861337.ff66d09906

So I'm not sure if it makes sense to take the risk of applying the patch there? The problems I see:

1. adding an untested patch is risky
2. since this Bug 1185619 does not apply to that codestream, the patch would not be fixing any known issue
Comment 14 Nathan Cutler 2021-05-14 10:18:10 UTC
Oops, I just noticed this codestream in your list

SUSE:SLE-15:Update/ceph         13.2.4.125+gad802694f5

It is also unaffected by the bug (for the reason stated above) and also the 13.2.* release series being EOL upstream did not test or release any fix for it.

So that one will also not be getting patched.
Comment 15 OBSbugzilla Bot 2021-05-14 12:00:03 UTC
This is an autogenerated message for OBS integration:
This bug (1185619) was mentioned in
https://build.opensuse.org/request/show/893105 Factory / ceph
Comment 16 Gianluca Gabrielli 2021-05-14 12:28:53 UTC
Hi Nathan,

I get your point and according to your opinion we can avoid patching the following two packages:
 - SUSE:SLE-12-SP3:Update/ceph
 - SUSE:SLE-15:Update/ceph

Since this bug exists only in server installation and these codestreams mainly ship ceph for client use, it seems very reasonable to skip the patch.

Anyway, both SLE-12-SP3 and SLE-15 are still under LTSS support and we have to backport security patches with a CVSS score > 7 for all contained packages, even when the upstream has dropped the support for those versions. But this is not the case here ;), so let's stick with your suggestion and skip these two mentioned codestreams.
Comment 19 Swamp Workflow Management 2021-06-02 19:20:15 UTC
SUSE-SU-2021:1834-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1185619,1186020,1186021
CVE References: CVE-2021-3509,CVE-2021-3524,CVE-2021-3531
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    ceph-15.2.12.83+g528da226523-3.25.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    ceph-15.2.12.83+g528da226523-3.25.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    ceph-15.2.12.83+g528da226523-3.25.1
SUSE Enterprise Storage 7 (src):    ceph-15.2.12.83+g528da226523-3.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2021-06-02 19:31:08 UTC
SUSE-SU-2021:1835-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1185619,1186020,1186021
CVE References: CVE-2021-3509,CVE-2021-3524,CVE-2021-3531
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    ceph-14.2.21.403+g69ab6ea274d-3.63.1
SUSE Manager Retail Branch Server 4.0 (src):    ceph-14.2.21.403+g69ab6ea274d-3.63.1
SUSE Manager Proxy 4.0 (src):    ceph-14.2.21.403+g69ab6ea274d-3.63.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    ceph-14.2.21.403+g69ab6ea274d-3.63.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    ceph-14.2.21.403+g69ab6ea274d-3.63.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    ceph-14.2.21.403+g69ab6ea274d-3.63.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    ceph-14.2.21.403+g69ab6ea274d-3.63.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    ceph-14.2.21.403+g69ab6ea274d-3.63.1
SUSE Enterprise Storage 6 (src):    ceph-14.2.21.403+g69ab6ea274d-3.63.1
SUSE CaaS Platform 4.0 (src):    ceph-14.2.21.403+g69ab6ea274d-3.63.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2021-06-03 22:24:09 UTC
openSUSE-SU-2021:0833-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1185619,1186020,1186021
CVE References: CVE-2021-3509,CVE-2021-3524,CVE-2021-3531
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    ceph-15.2.12.83+g528da226523-lp152.2.18.1, ceph-test-15.2.12.83+g528da226523-lp152.2.18.1
Comment 22 Swamp Workflow Management 2021-07-10 23:10:04 UTC
openSUSE-SU-2021:1834-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1185619,1186020,1186021
CVE References: CVE-2021-3509,CVE-2021-3524,CVE-2021-3531
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    ceph-15.2.12.83+g528da226523-3.25.1, ceph-test-15.2.12.83+g528da226523-3.25.1
Comment 25 Gabriele Sonnu 2022-04-06 12:40:01 UTC
All done.