Mirantis OpenStack

RGW returns requested bucket name raw in "Bucket" response header

  1. Series 6.0.x
  2. Bug #1520185
Bug #1520185 reported by Adam Heczko
276
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Won't Fix
Medium
Denis Meltsaykin
Mirantis OpenStack 5.1.1-updates
6.0.x
Fix Released
Medium
Denis Meltsaykin
Mirantis OpenStack 6.0-mu-8
6.1.x
Fix Released
Medium
Denis Meltsaykin
Mirantis OpenStack 6.1-mu-5
7.0.x
Fix Released
Medium
Denis Meltsaykin
Mirantis OpenStack 7.0-mu-2

Bug Description

Please help me identify whether we are vulnerable to CVE-2015-5245 with pre MOS 7.0 ceph versions

Problem description:
Ceph RadosGW versions up to v0.80.10 are vulnerable to HTTP header modification attack.

Resolution proposal:
Apply appropriate patchset preventing HTTP header manipulation.

Upstream bug report:
http://tracker.ceph.com/issues/12537

How to check/reproduce:
Mentioned in upstream bug report (curl)

See original description

CVE References

Adam Heczko (aheczko-mirantis)
description: updated
Changed in mos:
importance: Undecided → Medium
milestone: none → 5.1.1-mu-3
assignee: nobody → MOS Maintenance (mos-maintenance)
Revision history for this message
Radoslaw Zarzynski (rzarzynski) wrote :

Presence of “Bucket” HTTP header depends on "rgw_expose_bucket”
configuration option that is, fortunately, set to “false" by default.

The reason behind introducing the option is described in the commit [1].

[1] https://github.com/ceph/ceph/commit/f97264d4842cd2d28e089e2dd8a409b93bb1a825.

Vitaly Sedelnik (vsedelnik)
Changed in mos:
status: New → Confirmed
Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :

Radoslaw, is https://github.com/ceph/ceph/pull/5430 enough to fix this issue?

Revision history for this message
Radoslaw Zarzynski (rzarzynski) wrote :

Hello Vitaly,

You might want to get also this one as a dependency:
https://github.com/ceph/ceph/pull/4844
http://tracker.ceph.com/issues/11860

That's the fix for another problem located in the affected lines.

Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

On review for 6.1 trusty: https://review.fuel-infra.org/#/c/14478/, centos: https://review.fuel-infra.org/#/c/14472/

Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :

Retargeted to 6.1-mu-5 because of delayed reviews

Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

Changeset for 7.0 is being reviewed: https://review.fuel-infra.org/#/c/14876/

Denis Meltsaykin (dmeltsaykin)
tags: added: on-verification
Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

7.0 default installations don't expose Bucket in response (one should turn it on in config), moreover it doesn't behave as it mentioned in the original report, as our code lacks patch which removes quotation marks from Bucket response.

tags: removed: on-verification
Vitaly Sedelnik (vsedelnik)
Changed in mos:
assignee: MOS Maintenance (mos-maintenance) → Denis Meltsaykin (dmeltsaykin)
Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

Fixes merged into 6.0-updates: https://review.fuel-infra.org/#/q/topic:radosgw_60_cve

Vitaly Sedelnik (vsedelnik)
information type: Private Security → Public Security
Dmitry (dtsapikov)
tags: added: on-verification
Revision history for this message
Dmitry (dtsapikov) wrote :

Verified on 6.1+mu5

tags: removed: on-verification
Vitaly Sedelnik (vsedelnik)
Changed in mos:
milestone: 5.1.1-mu-3 → 5.1.1-updates
Revision history for this message
Alexey Stupnikov (astupnikov) wrote :

We no longer support MOS5.1, MOS6.0, MOS6.1
We deliver only Critical/Security fixes to MOS7.0, MOS8.0.
We deliver only High/Critical/Security fixes to MOS9.2.

Changed in mos:
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.