Impact
This is a security issue because it enables MITM modification of request bodies that are
meant to have integrity guaranteed by chunk signatures.
In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk.
This check can be skipped if the client sends a false chunk size that is much greater than the actual data
sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby
without ever checking the chunk signature.
Patches
Patched by @aead in PR #11801, users are advised to upgrade to RELEASE.2021-03-17T02-33-02Z
Workarounds
Avoid using "aws-chunked" encoding-based chunk signature upload requests instead use TLS.
MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS.
References
#11801 for more information on the fix and how it was fixed.
For more information
If you have any questions or comments about this advisory:
Impact
This is a security issue because it enables MITM modification of request bodies that are
meant to have integrity guaranteed by chunk signatures.
In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk.
This check can be skipped if the client sends a false chunk size that is much greater than the actual data
sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby
without ever checking the chunk signature.
Patches
Patched by @aead in PR #11801, users are advised to upgrade to RELEASE.2021-03-17T02-33-02Z
Workarounds
Avoid using "aws-chunked" encoding-based chunk signature upload requests instead use TLS.
MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS.
References
#11801 for more information on the fix and how it was fixed.
For more information
If you have any questions or comments about this advisory: