Описание
A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.
Отчет
Red Hat OpenStack Platform 15 (RHOSP) packages Ceph but no longer uses it, instead pulling ceph directly from the Red Hat Ceph Storage 4 repository. For this reason, RHOSP will not be updated for this flaw. This issue affects the versions of ceph as shipped with Red Hat Ceph Storage 3, 4 and Red Hat Openshift Container Storage 4.2 as it allows unauthenticated requests sent by an anonymous user for Amazon S3.
Меры по смягчению последствий
- Mitigation provided by DigitalOcean: Mitigation relies on the HAProxy load-balancers in front of RGW, and uses HAProxy ACLs combined with in-house Lua embedded in HAProxy.
- Detect usage of the query-parameters without any signature (either pre-signed or header), and return S3-formatted error.
- Validate the content in the query-parameters, return S3-formatted error. HAProxy mitigation: === acl req_s3_GetObject REDACTED ## redacted uses internal Lua to detect GetObject acl has_accesskey REDACTED ## redacted uses internal Lua to detect & validate signature
detection 1, QPs present
acl req_s3_GetObject_urlp_response url_param(response-cache-control) -m found acl req_s3_GetObject_urlp_response url_param(response-expires) -m found acl req_s3_GetObject_urlp_response url_param(response-content-disposition) -m found acl req_s3_GetObject_urlp_response url_param(response-content-encoding) -m found acl req_s3_GetObject_urlp_response url_param(response-content-language) -m found acl req_s3_GetObject_urlp_response url_param(response-content-type) -m found
detection 2, QPs containing unprintable ascii incl CRLR
acl req_s3_GetObject_urlp_response_crlf url_param(response-cache-control) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f acl req_s3_GetObject_urlp_response_crlf url_param(response-expires) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f acl req_s3_GetObject_urlp_response_crlf url_param(response-content-disposition) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f acl req_s3_GetObject_urlp_response_crlf url_param(response-content-encoding) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f acl req_s3_GetObject_urlp_response_crlf url_param(response-content-language) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f acl req_s3_GetObject_urlp_response_crlf url_param(response-content-type) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
block for detection 1
http-request use-service lua.REDACTED if req_s3_GetObject req_s3_GetObject_urlp_response !has_accesskey
block for detection 2
http-request use-service lua.REDACTED if req_s3_GetObject req_s3_GetObject_urlp_response_crlf
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 2 | ceph | Out of support scope | ||
| Red Hat Ceph Storage 3 | ceph | Affected | ||
| Red Hat Enterprise Linux 8 | ceph | Not affected | ||
| Red Hat Openshift Container Storage 4 | ceph | Affected | ||
| Red Hat OpenStack Platform 13 (Queens) | ceph | Not affected | ||
| Red Hat OpenStack Platform 15 (Stein) | ceph | Will not fix | ||
| Red Hat Ceph Storage 4.1 | ceph | Fixed | RHSA-2020:3003 | 20.07.2020 |
| Red Hat Ceph Storage 4.1 | ceph-ansible | Fixed | RHSA-2020:3003 | 20.07.2020 |
| Red Hat Ceph Storage 4.1 | ceph-medic | Fixed | RHSA-2020:3003 | 20.07.2020 |
| Red Hat Ceph Storage 4.1 | cockpit-ceph-installer | Fixed | RHSA-2020:3003 | 20.07.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.8 Medium
CVSS3
Связанные уязвимости
A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.
A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.
A flaw was found in the Ceph Object Gateway, where it supports request ...
A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.
EPSS
5.8 Medium
CVSS3