Bug 1014986 - (CVE-2016-9579) VUL-0: CVE-2016-9579: ceph: RGW server DoS via request with invalid HTTP Origin header
(CVE-2016-9579)
VUL-0: CVE-2016-9579: ceph: RGW server DoS via request with invalid HTTP Orig...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Nathan Cutler
https://smash.suse.de/issue/177339/
CVSSv2:SUSE:CVE-2016-9579:3.5:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-10 09:33 UTC by Marcus Meissner
Modified: 2018-04-26 22:36 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-12-10 09:33:59 UTC
http://tracker.ceph.com/issues/18187

rgw: do not abort when accept a CORS request with short origin

Fixed: #18187

when accept a CROS request, the request http origin shorter than the bucket's corsrule
(eg. origin: http://s.com corsrule: <AllowedOrigin>*.verylongdomain.com</AllowedOrigin>).
the rgw_cors.cc::is_string_in_set() will have a wrong index, the radosrgw server will
abort.

(QA REPRODUCER)
set public-acl to a rgw object.

set cors rule to the bucket(eg: <AllowedOrigin>*.verylongdomain.com</AllowedOrigin>).

simulating a CORS requests.

$ curl http://test.localhost:8000/app.data -H "Origin:http://s.com" 

 0> 2016-12-05 03:22:29.548138 7f6add05d700 -1 *** Caught signal (Aborted) **
 in thread 7f6add05d700 thread_name:civetweb-worker

 ceph version 11.0.2-2168-gd2f8fb4 (d2f8fb4a6ba75af7e6da0f5a7f1b49ec998b1631)
 1: (()+0x50720a) [0x7f6b147c420a]
 2: (()+0xf370) [0x7f6b09a33370]
 3: (gsignal()+0x37) [0x7f6b081ca1d7]
 4: (abort()+0x148) [0x7f6b081cb8c8]
 5: (__gnu_cxx::__verbose_terminate_handler()+0x165) [0x7f6b08ace9d5]
 6: (()+0x5e946) [0x7f6b08acc946]
 7: (()+0x5e973) [0x7f6b08acc973]
 8: (()+0x5eb93) [0x7f6b08accb93]
 9: (std::__throw_out_of_range(char const*)+0x77) [0x7f6b08b21a17]
 10: (()+0xbd97a) [0x7f6b08b2b97a]
 11: (()+0x449c1e) [0x7f6b14706c1e]
 12: (RGWCORSRule::is_origin_present(char const*)+0x48) [0x7f6b147073b8]
 13: (RGWCORSConfiguration::host_name_rule(char const*)+0x37) [0x7f6b147074e7]
 14: (RGWOp::generate_cors_headers(std::string&, std::string&, std::string&, std::string&, unsigned int*)+0xa3) [0x7f6b14593e63]
 15: (dump_access_control(req_state*, RGWOp*)+0x61) [0x7f6b14653f91]
Comment 1 Swamp Workflow Management 2016-12-10 23:00:39 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2016-12-13 16:37:55 UTC
https://github.com/ceph/ceph/pull/12397 (jewel)

https://github.com/ceph/ceph/pull/12398 (hammer)
Comment 3 Marcus Meissner 2016-12-13 16:43:51 UTC
I am assuming it affects all ceph-radosgw packages done by us.
Comment 4 Nathan Cutler 2017-02-05 22:11:41 UTC
hammer PR has been merged and will be in the next point release (0.94.10)

jewel PR has been merged and will be in the next point release (10.2.6)

Immediately after the relevant point release is published, we will prepare and submit maintenance updates.
Comment 6 Swamp Workflow Management 2017-04-03 13:13:14 UTC
openSUSE-SU-2017:0910-1: An update that solves one vulnerability and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1003891,1008435,1008501,1012100,1014986,1015748,1019616,970642
CVE References: CVE-2016-9579
Sources used:
openSUSE Leap 42.2 (src):    ceph-10.2.6+git.1489493035.3ad7a68-6.4.1, ceph-test-10.2.6+git.1489493035.3ad7a68-6.4.1
Comment 7 Nathan Cutler 2017-04-19 08:59:19 UTC
This is fixed in the following maintenance updates:

SES3: https://build.suse.de/request/show/130551
SES4: https://build.suse.de/request/show/130759
Comment 8 Swamp Workflow Management 2017-06-02 16:11:22 UTC
SUSE-SU-2017:1479-1: An update that solves one vulnerability and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1003891,1008435,1008501,1012100,1014986,1015748,1029482,970642
CVE References: CVE-2016-9579
Sources used:
SUSE Enterprise Storage 4 (src):    ceph-10.2.6+git.1490339825.57146d8-11.7, ceph-test-10.2.6+git.1490339825.57146d8-11.7
Comment 9 Marcus Meissner 2017-10-24 13:03:35 UTC
ses3 is still waiting for more issues
Comment 10 Swamp Workflow Management 2017-12-01 14:09:08 UTC
SUSE-SU-2017:3171-1: An update that solves two vulnerabilities and has 15 fixes is now available.

Category: security (moderate)
Bug References: 1003891,1008435,1008501,1012100,1014986,1015371,1015748,1024691,1025643,1028109,1029482,1033786,1042973,1043767,1051598,1056536,970642
CVE References: CVE-2016-9579,CVE-2017-7519
Sources used:
SUSE Enterprise Storage 3 (src):    ceph-10.2.10+git.1510313171.6d5f0aeac1-13.7.3, ceph-test-10.2.10+git.1510313171.6d5f0aeac1-13.7.2
Comment 11 Marcus Meissner 2018-02-19 15:56:11 UTC
released
Comment 14 Johannes Segitz 2018-04-26 15:12:00 UTC
thanks, adjusted our tracking