Arch Linux Security Advisory ASA-202105-3
========================================
Severity: High
Date    : 2021-05-19
CVE-ID  : CVE-2021-3509 CVE-2021-3524 CVE-2021-3531 CVE-2021-20288
Package : ceph
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1826

Summary
======
The package ceph before version 15.2.12-1 is vulnerable to multiple
issues including insufficient validation, cross-site scripting, denial
of service and url request injection.

Resolution
=========
Upgrade to 15.2.12-1.

# pacman -Syu "ceph>=15.2.12-1"

The problems have been fixed upstream in version 15.2.12.

Workaround
=========
None.

Description
==========
- CVE-2021-3509 (cross-site scripting)

A security issue was found in ceph before version 15.2.12. In order to
make the JWT token inaccessible through cross-site scripting (XSS), it
was moved from localStorage to httpOnly Cookie (CVE-2020-27839). But
token cookies are used in the body of the HTTP response for the
documentation, which again makes it available to XSS.

- CVE-2021-3524 (url request injection)

A security issue was found in the Red Hat Ceph Storage RadosGW (Ceph
Object Gateway) before version 15.2.12. The vulnerability is related to
the injection of HTTP headers via a CORS ExposeHeader tag. The newline
character in the ExposeHeader tag in the CORS configuration file
generates a header injection in the response when the CORS request is
made.

In addition, the prior bug fix for CVE-2020-10753 did not account for
the use of \r as a header separator, thus a new flaw has been created.

- CVE-2021-3531 (denial of service)

A security issue was found in the Red Hat Ceph Storage RGW before
version 15.2.12. When processing a GET Request for a swift URL that
ends with two slashes it can cause the rgw to crash, resulting in a
denial of service.

- CVE-2021-20288 (insufficient validation)

An authentication flaw was found in ceph before version 15.2.11. When
the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't
sanitize other_keys, allowing key reuse. An attacker who can request a
global_id can exploit the ability of any user to request a global_id
previously associated with another user, as ceph does not force the
reuse of old keys to generate new ones.

Impact
=====
A remote attacker could obtain a user's access token using cross-site
scripting, inject headers into requests to bypass CORS, crash the
server using a crafted request, or reuse old authentication keys.

References
=========
https://bugs.archlinux.org/task/70450
https://bugzilla.redhat.com/show_bug.cgi?id=1950116
https://github.com/ceph/ceph/commit/7a1ca8d372da3b6a4fc3d221a0e5f72d1d61c27b
https://bugzilla.redhat.com/show_bug.cgi?id=1951674
https://github.com/ceph/ceph/commit/94f7c87a78b05ec856a5ee1ff62af136331776a3
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-3531
https://github.com/ceph/ceph/commit/b87e64e3206210580f4a6df2d77f9ae3f1033039
https://www.openwall.com/lists/oss-security/2021/04/14/2
https://bugzilla.redhat.com/show_bug.cgi?id=1938031
https://github.com/ceph/ceph/commit/1f57617d5edb45a8a696eac7c910e8fc44c934a3
https://github.com/ceph/ceph/commit/9f3efe7cd1a780b91e5c8cfee192a0c51d0151dc
https://security.archlinux.org/CVE-2021-3509
https://security.archlinux.org/CVE-2021-3524
https://security.archlinux.org/CVE-2021-3531
https://security.archlinux.org/CVE-2021-20288

ArchLinux: 202105-3: ceph: multiple issues

May 20, 2021

Summary

- CVE-2021-3509 (cross-site scripting) A security issue was found in ceph before version 15.2.12. In order to make the JWT token inaccessible through cross-site scripting (XSS), it was moved from localStorage to httpOnly Cookie (CVE-2020-27839). But token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS.
- CVE-2021-3524 (url request injection)
A security issue was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) before version 15.2.12. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made.
In addition, the prior bug fix for CVE-2020-10753 did not account for the use of \r as a header separator, thus a new flaw has been created.
- CVE-2021-3531 (denial of service)
A security issue was found in the Red Hat Ceph Storage RGW before version 15.2.12. When processing a GET Request for a swift URL that ends with two slashes it can cause the rgw to crash, resulting in a denial of service.
- CVE-2021-20288 (insufficient validation)
An authentication flaw was found in ceph before version 15.2.11. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones.

Resolution

Upgrade to 15.2.12-1. # pacman -Syu "ceph>=15.2.12-1"
The problems have been fixed upstream in version 15.2.12.

References

https://bugs.archlinux.org/task/70450 https://bugzilla.redhat.com/show_bug.cgi?id=1950116 https://github.com/ceph/ceph/commit/7a1ca8d372da3b6a4fc3d221a0e5f72d1d61c27b https://bugzilla.redhat.com/show_bug.cgi?id=1951674 https://github.com/ceph/ceph/commit/94f7c87a78b05ec856a5ee1ff62af136331776a3 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-3531 https://github.com/ceph/ceph/commit/b87e64e3206210580f4a6df2d77f9ae3f1033039 https://www.openwall.com/lists/oss-security/2021/04/14/2 https://bugzilla.redhat.com/show_bug.cgi?id=1938031 https://github.com/ceph/ceph/commit/1f57617d5edb45a8a696eac7c910e8fc44c934a3 https://github.com/ceph/ceph/commit/9f3efe7cd1a780b91e5c8cfee192a0c51d0151dc https://security.archlinux.org/CVE-2021-3509 https://security.archlinux.org/CVE-2021-3524 https://security.archlinux.org/CVE-2021-3531 https://security.archlinux.org/CVE-2021-20288

Severity
Package : ceph
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1826

Workaround

None.

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved