CVE-2024-48916 Overview
CVE-2024-48916 is an authentication bypass vulnerability in Ceph, a distributed object, block, and file storage platform. The vulnerability exists in the RadosGW OIDC provider component, which improperly handles JSON Web Tokens (JWT) with the algorithm set to "none". When an attacker sends a JWT with alg: none, the signature verification is completely bypassed, allowing unauthorized access to protected resources.
Critical Impact
Attackers can bypass JWT signature verification by specifying "none" as the algorithm, potentially gaining unauthorized access to Ceph storage resources and compromising data confidentiality and integrity.
Affected Products
- Ceph versions 19.2.3 and below
- Ceph RadosGW OIDC provider component
Discovery Timeline
- 2025-07-30 - CVE CVE-2024-48916 published to NVD
- 2025-07-31 - Last updated in NVD database
Technical Details for CVE-2024-48916
Vulnerability Analysis
This vulnerability is classified under CWE-345 (Insufficient Verification of Data Authenticity). The flaw resides in how the RadosGW OIDC provider processes incoming JWT tokens. JWT is a widely used standard for transmitting authentication claims between parties, and the security of the mechanism relies heavily on cryptographic signature verification.
The vulnerability allows attackers to craft malicious JWT tokens that completely bypass signature verification. By setting the alg header field to "none", an attacker can submit unsigned tokens that the RadosGW OIDC provider accepts as valid. This is a classic JWT algorithm confusion attack that has affected numerous implementations across the industry.
The impact is significant as successful exploitation allows attackers to forge authentication tokens, potentially gaining access to protected storage resources without valid credentials. This can lead to unauthorized data access, data exfiltration, or data manipulation within the Ceph storage cluster.
Root Cause
The root cause of this vulnerability is insufficient validation of the JWT algorithm header before processing the token. The RadosGW OIDC provider fails to explicitly reject tokens that specify "none" as the signature algorithm. In a properly implemented JWT verification process, the server should:
- Maintain an allowlist of acceptable algorithms
- Reject any token using the "none" algorithm
- Verify the signature using the expected algorithm before trusting the token claims
The vulnerable implementation appears to trust the algorithm specified in the token header without validating it against a secure allowlist, allowing the "none" algorithm to bypass all signature checks.
Attack Vector
The attack is network-based and requires low privileges to execute. An attacker with the ability to send requests to the RadosGW endpoint can exploit this vulnerability by:
- Crafting a JWT token with arbitrary claims (such as elevated privileges or different user identity)
- Setting the alg header field to "none"
- Omitting the signature portion of the JWT entirely
- Submitting this malformed token to the RadosGW OIDC authentication endpoint
The JWT "none" algorithm attack works because the JWT specification technically allows tokens without signatures (for trusted environments), but accepting such tokens in production authentication systems represents a critical security failure.
When the vulnerable RadosGW component receives a token with alg: none, it processes the claims without verifying any cryptographic signature, effectively trusting attacker-controlled data for authentication decisions.
Detection Methods for CVE-2024-48916
Indicators of Compromise
- JWT tokens in RadosGW access logs containing "alg":"none" in the decoded header
- Authentication events with unusual or unexpected user claims that don't match known user profiles
- Successful authentication attempts from users or service accounts that should not have valid credentials
- Anomalous access patterns to Ceph storage resources following suspicious authentication events
Detection Strategies
- Implement log monitoring for RadosGW access logs to detect JWT tokens with suspicious algorithm values
- Deploy network inspection rules to identify JWT tokens containing "alg":"none" in the header portion
- Configure authentication event correlation to flag access attempts where the JWT algorithm is set to "none"
- Enable detailed OIDC authentication logging to capture and analyze token metadata
Monitoring Recommendations
- Monitor RadosGW service logs for authentication anomalies and unusual access patterns
- Implement real-time alerting for any JWT processing errors or algorithm validation failures
- Review audit logs for unauthorized data access following suspicious authentication events
- Track authentication success rates and investigate any unexpected increases
How to Mitigate CVE-2024-48916
Immediate Actions Required
- Review and audit all RadosGW OIDC provider configurations for exposure
- Implement network-level controls to filter requests containing suspicious JWT tokens where possible
- Consider temporarily disabling OIDC authentication if not critical, switching to alternative authentication methods
- Monitor for exploitation attempts using the detection strategies outlined above
Patch Information
As of the publication date, a known patched version has not yet been released by the Ceph project. Organizations should monitor the GitHub Security Advisory for updates on patch availability. When a patch becomes available, prioritize deployment to all affected Ceph installations.
Workarounds
- Implement a reverse proxy or API gateway in front of RadosGW that validates JWT algorithm headers and rejects tokens with alg: none
- Configure network segmentation to limit exposure of RadosGW OIDC endpoints to trusted networks only
- Use alternative authentication mechanisms such as S3-style access keys instead of OIDC where feasible
- Deploy Web Application Firewall (WAF) rules to inspect and block JWT tokens containing the "none" algorithm
# Example: nginx configuration to reject JWT with alg:none
# Add to location block handling RadosGW OIDC endpoints
# Decode base64url JWT header and check for alg:none pattern
# Note: This is a basic detection - implement proper JWT parsing for production
if ($http_authorization ~* "eyJ[A-Za-z0-9_-]*bm9uZSI") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
