The Ceph Object Gateway CRLF Vulnerability(CVE-2 0 1 5-5 2 4 5)-vulnerability warning-the black bar safety net

2015-12-07T00:00:00
ID MYHACK58:62201569786
Type myhack58
Reporter 佚名
Modified 2015-12-07T00:00:00

Description

CVE(CAN) ID: CVE-2 0 1 5-5 2 4 5

The Ceph Object Gateway is constructed in the librados on top of the object storage interface, you can make the application through a RESTful gateway to access the distributed storage system Ceph Storage Clusters.

Ceph 0.94.4 before the version, Ceph Object Gateway, the presence of a CRLF injection vulnerability, a remote attacker by constructing the bucket name, to inject arbitrary HTTP headers and perform HTTP response to isolated attacks.

<source: RedHat >

Recommendation:


Manufacturers patch:

Ceph \ ---- The current vendors have released an upgrade patch to fix this security issue, please go to the manufacturers home page download:

http://tracker.ceph.com/issues/12537