{
  "threat_severity" : "Moderate",
  "public_date" : "2020-04-06T17:00:00Z",
  "bugzilla" : {
    "description" : "ceph: header-splitting in RGW GetObject has a possible XSS",
    "id" : "1812962",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1812962"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.", "A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input." ],
  "statement" : "Red Hat OpenStack Platform 15 (RHOSP) packages Ceph but no longer uses it, instead pulling ceph directly from the Red Hat Ceph Storage 4 repository. For this reason, RHOSP will not be updated for this flaw.\nThis issue affects the versions of ceph as shipped with Red Hat Ceph Storage 3, 4 and Red Hat Openshift Container Storage 4.2 as it allows unauthenticated requests sent by an anonymous user for Amazon S3.",
  "acknowledgement" : "Red Hat would like to thank Robin H. Johnson (DigitalOcean) for reporting this issue. Upstream acknowledges William Bowling as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Ceph Storage 4.1",
    "release_date" : "2020-07-20T00:00:00Z",
    "advisory" : "RHSA-2020:3003",
    "cpe" : "cpe:/a:redhat:ceph_storage:4::el7",
    "package" : "ceph-2:14.2.8-81.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 4.1",
    "release_date" : "2020-07-20T00:00:00Z",
    "advisory" : "RHSA-2020:3003",
    "cpe" : "cpe:/a:redhat:ceph_storage:4::el7",
    "package" : "ceph-ansible-0:4.0.25-1.el8cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 4.1",
    "release_date" : "2020-07-20T00:00:00Z",
    "advisory" : "RHSA-2020:3003",
    "cpe" : "cpe:/a:redhat:ceph_storage:4::el7",
    "package" : "ceph-medic-0:1.0.8-1.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 4.1",
    "release_date" : "2020-07-20T00:00:00Z",
    "advisory" : "RHSA-2020:3003",
    "cpe" : "cpe:/a:redhat:ceph_storage:4::el7",
    "package" : "cockpit-ceph-installer-0:1.2-0.el8cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 4.1",
    "release_date" : "2020-07-20T00:00:00Z",
    "advisory" : "RHSA-2020:3003",
    "cpe" : "cpe:/a:redhat:ceph_storage:4::el7",
    "package" : "nfs-ganesha-0:2.8.3-8.el7cp"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Out of support scope",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Affected",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:ceph_storage:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "ceph",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Will not fix",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 15 (Stein)",
    "fix_state" : "Will not fix",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:openstack:15"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-1760\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-1760\nhttps://www.openwall.com/lists/oss-security/2020/04/07/1" ],
  "name" : "CVE-2020-1760",
  "mitigation" : {
    "value" : "* Mitigation provided by DigitalOcean:\nMitigation relies on the HAProxy load-balancers in front of RGW, and uses HAProxy ACLs combined with in-house Lua embedded in HAProxy.\n1. Detect usage of the query-parameters without any signature (either pre-signed or header), and return S3-formatted error.\n2. Validate the content in the query-parameters, return S3-formatted error.\nHAProxy mitigation:\n===\nacl req_s3_GetObject REDACTED ## redacted uses internal Lua to detect GetObject\nacl has_accesskey REDACTED ## redacted uses internal Lua to detect & validate signature\n# detection 1, QPs present\nacl req_s3_GetObject_urlp_response url_param(response-cache-control) -m found\nacl req_s3_GetObject_urlp_response url_param(response-expires) -m found\nacl req_s3_GetObject_urlp_response url_param(response-content-disposition) -m found\nacl req_s3_GetObject_urlp_response url_param(response-content-encoding) -m found\nacl req_s3_GetObject_urlp_response url_param(response-content-language) -m found\nacl req_s3_GetObject_urlp_response url_param(response-content-type) -m found\n# detection 2, QPs containing unprintable ascii incl CRLR\nacl req_s3_GetObject_urlp_response_crlf url_param(response-cache-control) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f\nacl req_s3_GetObject_urlp_response_crlf url_param(response-expires) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f\nacl req_s3_GetObject_urlp_response_crlf url_param(response-content-disposition) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f\nacl req_s3_GetObject_urlp_response_crlf url_param(response-content-encoding) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f\nacl req_s3_GetObject_urlp_response_crlf url_param(response-content-language) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f\nacl req_s3_GetObject_urlp_response_crlf url_param(response-content-type) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f\n# block for detection 1\nhttp-request use-service lua.REDACTED if req_s3_GetObject req_s3_GetObject_urlp_response !has_accesskey\n# block for detection 2\nhttp-request use-service lua.REDACTED if req_s3_GetObject req_s3_GetObject_urlp_response_crlf\n===",
    "lang" : "en:us"
  },
  "csaw" : false
}