Bug 1593308 (CVE-2018-10861)

Summary: CVE-2018-10861 ceph: ceph-mon does not perform authorization on OSD pool ops
Product: [Other] Security Response Reporter: Siddharth Sharma <sisharma>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: branto, danmick, david, fedora, i, jdillama, josef, kdreyer, kkeithle, ramkrsna, security-response-team, sisharma, steve, sweil, tserlin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ceph 10.2.11, ceph 12.2.6, ceph 13.2.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete and corrupt snapshot images
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-30 05:15:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1593593, 1593594, 1599403, 1599407    
Bug Blocks: 1593097    

Description Siddharth Sharma 2018-06-20 14:08:08 UTC 
A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete, and corrupt snapshot images. 

This would require user to have read access and for that user must have key for authentication. It would only affect snapshots and images. So attacker with read access will only be able to corrupt data of snapshot images and rest of the ceph cluster should work as it is. Affect on integrity would be low and availability part can be controlled by mitigation using 'mon_allow_pool_delete = false' in ceph.conf to disable deletion of pools
Comment 1 Siddharth Sharma 2018-06-20 14:08:11 UTC 
Mitigation:

Use  mon_allow_pool_delete = false in ceph.conf to disable deletion of pools


~]$ for p in `rados lspools`
do
   ceph osd pool set $p nodelete true
done

caveat: This mitigation does not protect against  attacker from corrupting snapshot images
Comment 5 Siddharth Sharma 2018-07-09 16:57:12 UTC 
upstream fix:

http://tracker.ceph.com/issues/24838
https://github.com/ceph/ceph/commit/975528f632f73fbffa3f1fee304e3bbe3296cffc
Comment 7 Siddharth Sharma 2018-07-09 17:08:38 UTC 
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1599407]
Comment 8 errata-xmlrpc 2018-07-11 18:10:54 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3.0 for Ubuntu 16.04

Via RHSA-2018:2177 https://access.redhat.com/errata/RHSA-2018:2177
Comment 9 errata-xmlrpc 2018-07-11 18:21:25 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3 for Red Hat Enterprise Linux 7

Via RHSA-2018:2179 https://access.redhat.com/errata/RHSA-2018:2179
Comment 12 errata-xmlrpc 2018-07-26 15:36:03 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 2 for Ubuntu 16.04

Via RHSA-2018:2274 https://access.redhat.com/errata/RHSA-2018:2274
Comment 13 errata-xmlrpc 2018-07-26 18:06:28 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 2 for Red Hat Enterprise Linux 7

Via RHSA-2018:2261 https://access.redhat.com/errata/RHSA-2018:2261
Comment 14 Tomas Hoger 2020-11-11 09:58:33 UTC 
Fixed upstream in versions: 10.2.11, 12.2.6, and 13.2.1

https://docs.ceph.com/en/latest/releases/jewel/#v10-2-11-jewel
https://docs.ceph.com/en/latest/releases/luminous/#v12-2-6-luminous
https://docs.ceph.com/en/latest/releases/mimic/#v13-2-1-mimic