CVE-2019-19337

A flaw was found in the way the Ceph RADOS Gateway daemon handles S3 requests. An authenticated attacker can abuse this flaw by causing a remote denial of service by sending a specially crafted HTTP Content-Length header to the Ceph RADOS Gateway server.

Mitigation

1. By default system will use /etc/init.d/ceph-radosgw, stop this service by
~]# /etc/init.d/ceph-radosgw stop

2. Create systemd service, and change command line parameters according to the environment where Ceph radosgw is running.

~]# cat /usr/lib/systemd/system/ceph-rgw.service
[Unit]
Description=Ceph RGW daemon

[Service]
Type=forking
ExecStart=/bin/radosgw -n client.rgw.$(HOSTNAME REDACTED)
Restart=on-abnormal
RestartSec=1s

[Install]
WantedBy=multi-user.target

3. Run systemd service 'ceph-rgw.service'

Caveat: It still takes +1-2 sec to get service back online. After applying above mentioned mitigation, the malicious IP can be blocked by a firewall rule if there are continuous attempts to launch remote denial of service. This mitigation is of limited use if the attack is launched from multiple IPs. It is recommended to limit the exposure of ceph RGW server to known clients.