Bug 1795592 (CVE-2020-1716)

Summary: CVE-2020-1716 ceph-ansible: hard coded credential in ceph-ansible playbook
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: contribs, dbecker, gabrioux, gfidente, hvyas, jjoyce, jschluet, kbasil, knortema, ktdreyer, lhh, lpeer, mburns, ramkrsna, sclewis, sisharma, slinaber
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ceph-ansible 6.0.0alpha1 Doc Type: Known Issue
Doc Text:
A flaw was found in the ceph-ansible playbook where it contained hardcoded passwords that were being used as default passwords while deploying Ceph services. Any authenticated attacker can abuse this flaw to brute-force Ceph deployments, and gain administrator access to Ceph clusters via the Ceph dashboard to initiate read, write, and delete Ceph clusters and also modify Ceph cluster configurations.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-19 21:15:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1795509, 1795602, 1795779, 1813137    
Bug Blocks: 1794731    

Description Dhananjay Arunesh 2020-01-28 12:14:24 UTC 
A vulnerability was found in ceph-ansible, where hard-coded passwords were found in roles/ceph-defaults/defaults/main.yml.

Reference:
https://github.com/ceph/ceph-ansible/blob/bb3eae0c8033dc0ffbee44f490f6ad483bd109b9/roles/ceph-defaults/defaults/main.yml
Comment 6 Siddharth Sharma 2020-01-29 04:06:43 UTC 
upstream fix

https://github.com/ceph/ceph-ansible/pull/4998
Comment 7 Siddharth Sharma 2020-01-30 03:38:23 UTC 
Mitigation:

Change and use strong passwords in ceph-ansible playbook

- https://github.com/ceph/ceph-ansible/blob/v4.0.14/roles/ceph-defaults/defaults/main.yml#L701
- https://github.com/ceph/ceph-ansible/blob/v4.0.14/roles/ceph-defaults/defaults/main.yml#L711
Comment 8 Dhananjay Arunesh 2020-02-11 09:27:57 UTC 
Acknowledgments:

Name: Sarthak Srivastava
Comment 9 Joshua Padman 2020-03-13 02:47:08 UTC 
Statement:

The version of ceph-ansible included in Red Hat OpenStack 15 was temporary, OpenStack 15 installations will consume updates to this package from Ceph channels.
Comment 10 Joshua Padman 2020-03-13 02:47:33 UTC 
Created ceph-ansible tracking bugs for this issue:

Affects: fedora-30 [bug 1813137]
Comment 11 errata-xmlrpc 2020-05-19 17:30:39 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.1

Via RHSA-2020:2231 https://access.redhat.com/errata/RHSA-2020:2231
Comment 12 Product Security DevOps Team 2020-05-19 21:15:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1716