Описание
Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published.
A vulnerability in the Ceph Rados Gateway (RadosGW) OIDC provider allows attackers to bypass JWT signature verification by supplying a token with "none" as the algorithm (alg). This occurs because the implementation fails to enforce strict signature validation, enabling attackers to forge valid tokens without a signature.
Отчет
This vulnerability is rated Important due to its ability to bypass JWT signature verification in Ceph Rados Gateway, allowing attackers to forge tokens and gain unauthorized access. OpenShift Data Foundation (ODF) is affected but not vulnerable to this issue. To exploit this issue, an attacker needs to use OIDC and manually set the algorithm to "none", then RadosGW will not validate the signature on a JWT. ODF is protected because it uses the Vault API to interface with OIDC (and other providers) and it does not support "none" as an algorithm type.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 4 | ceph | Affected | ||
| Red Hat Ceph Storage 4 | rhceph/rhceph-4-rhel8 | Affected | ||
| Red Hat Ceph Storage 5 | ceph | Affected | ||
| Red Hat Ceph Storage 5 | rhceph/rhceph-5-rhel8 | Affected | ||
| Red Hat Ceph Storage 6 | rhceph/rhceph-6-rhel9 | Affected | ||
| Red Hat Ceph Storage 7 | rhceph/rhceph-7-rhel9 | Affected | ||
| Red Hat Enterprise Linux 8 | ceph | Not affected | ||
| Red Hat Enterprise Linux 9 | ceph | Not affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/cephcsi-rhel9 | Not affected | ||
| Red Hat Ceph Storage 6.1 | ceph | Fixed | RHSA-2025:4238 | 28.04.2025 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
9.1 Critical
CVSS3
Связанные уязвимости
Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published.
Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published.
Ceph is vulnerable to authentication bypass through RadosGW
Ceph is a distributed object, block, and file storage platform. In ver ...
Уязвимость демона radosgw системы хранения данных Ceph, позволяющая нарушителю обойти процедуру аутентификации
9.1 Critical
CVSS3