Bugzilla – Bug 1014986
VUL-0: CVE-2016-9579: ceph: RGW server DoS via request with invalid HTTP Origin header
Last modified: 2018-04-26 22:36:18 UTC
http://tracker.ceph.com/issues/18187 rgw: do not abort when accept a CORS request with short origin Fixed: #18187 when accept a CROS request, the request http origin shorter than the bucket's corsrule (eg. origin: http://s.com corsrule: <AllowedOrigin>*.verylongdomain.com</AllowedOrigin>). the rgw_cors.cc::is_string_in_set() will have a wrong index, the radosrgw server will abort. (QA REPRODUCER) set public-acl to a rgw object. set cors rule to the bucket(eg: <AllowedOrigin>*.verylongdomain.com</AllowedOrigin>). simulating a CORS requests. $ curl http://test.localhost:8000/app.data -H "Origin:http://s.com" 0> 2016-12-05 03:22:29.548138 7f6add05d700 -1 *** Caught signal (Aborted) ** in thread 7f6add05d700 thread_name:civetweb-worker ceph version 11.0.2-2168-gd2f8fb4 (d2f8fb4a6ba75af7e6da0f5a7f1b49ec998b1631) 1: (()+0x50720a) [0x7f6b147c420a] 2: (()+0xf370) [0x7f6b09a33370] 3: (gsignal()+0x37) [0x7f6b081ca1d7] 4: (abort()+0x148) [0x7f6b081cb8c8] 5: (__gnu_cxx::__verbose_terminate_handler()+0x165) [0x7f6b08ace9d5] 6: (()+0x5e946) [0x7f6b08acc946] 7: (()+0x5e973) [0x7f6b08acc973] 8: (()+0x5eb93) [0x7f6b08accb93] 9: (std::__throw_out_of_range(char const*)+0x77) [0x7f6b08b21a17] 10: (()+0xbd97a) [0x7f6b08b2b97a] 11: (()+0x449c1e) [0x7f6b14706c1e] 12: (RGWCORSRule::is_origin_present(char const*)+0x48) [0x7f6b147073b8] 13: (RGWCORSConfiguration::host_name_rule(char const*)+0x37) [0x7f6b147074e7] 14: (RGWOp::generate_cors_headers(std::string&, std::string&, std::string&, std::string&, unsigned int*)+0xa3) [0x7f6b14593e63] 15: (dump_access_control(req_state*, RGWOp*)+0x61) [0x7f6b14653f91]
bugbot adjusting priority
https://github.com/ceph/ceph/pull/12397 (jewel) https://github.com/ceph/ceph/pull/12398 (hammer)
I am assuming it affects all ceph-radosgw packages done by us.
hammer PR has been merged and will be in the next point release (0.94.10) jewel PR has been merged and will be in the next point release (10.2.6) Immediately after the relevant point release is published, we will prepare and submit maintenance updates.
openSUSE-SU-2017:0910-1: An update that solves one vulnerability and has 7 fixes is now available. Category: security (moderate) Bug References: 1003891,1008435,1008501,1012100,1014986,1015748,1019616,970642 CVE References: CVE-2016-9579 Sources used: openSUSE Leap 42.2 (src): ceph-10.2.6+git.1489493035.3ad7a68-6.4.1, ceph-test-10.2.6+git.1489493035.3ad7a68-6.4.1
This is fixed in the following maintenance updates: SES3: https://build.suse.de/request/show/130551 SES4: https://build.suse.de/request/show/130759
SUSE-SU-2017:1479-1: An update that solves one vulnerability and has 7 fixes is now available. Category: security (moderate) Bug References: 1003891,1008435,1008501,1012100,1014986,1015748,1029482,970642 CVE References: CVE-2016-9579 Sources used: SUSE Enterprise Storage 4 (src): ceph-10.2.6+git.1490339825.57146d8-11.7, ceph-test-10.2.6+git.1490339825.57146d8-11.7
ses3 is still waiting for more issues
SUSE-SU-2017:3171-1: An update that solves two vulnerabilities and has 15 fixes is now available. Category: security (moderate) Bug References: 1003891,1008435,1008501,1012100,1014986,1015371,1015748,1024691,1025643,1028109,1029482,1033786,1042973,1043767,1051598,1056536,970642 CVE References: CVE-2016-9579,CVE-2017-7519 Sources used: SUSE Enterprise Storage 3 (src): ceph-10.2.10+git.1510313171.6d5f0aeac1-13.7.3, ceph-test-10.2.10+git.1510313171.6d5f0aeac1-13.7.2
released
thanks, adjusted our tracking