Bug 1845387 (CVE-2020-10763)
Summary: | CVE-2020-10763 heketi: gluster-block volume password details available in logs | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Hardik Vyas <hvyas> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | agarcial, aos-bugs, aos-storage-staff, bmontgom, eparis, gghezzo, gparvin, hchiramm, hvyas, jburrell, jmulligan, jokerman, jramanat, jsafrane, jshepherd, jweiser, madam, mimccune, nstielau, prasanna.kalever, puebele, rhs-bugs, security-response-team, sponnaga, stcannon, storage-qa-internal, tfister, thee |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | heketi 10.1.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
An information-disclosure flaw was found in the way Heketi logs sensitive information. This flaw allows an attacker with local access to the Heketi server, to read potentially sensitive information, such as gluster-block passwords.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-30 20:21:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1845388, 1853545, 1854255, 1854256, 1877066 | ||
Bug Blocks: | 1844590 |
Description
Hardik Vyas
2020-06-09 05:49:45 UTC
Acknowledgments: Name: Prasanna Kumar Kalever (Red Hat) Statement: The version of heketi shipped with Red Hat Gluster Storage 3 does not filter out gluster-block volume passwords, hence affected by this vulnerability. Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. OpenShift 3.11 uses heketi-v4.0.0-95-gaaf40619 which isn't affected by this issue. The efs-provisioner container in OpenShift 4 doesn't include the vulnerable package (executors/cmdexec/block_volume) [1] [1] https://github.com/openshift/external-storage/blob/34efc4c2dc0f7032db94b760a9c563ef914cd285/Gopkg.lock#L325 Upstream PR: https://github.com/heketi/heketi/pull/1790 External References: https://github.com/heketi/heketi/releases/tag/v10.1.0 This issue has been addressed in the following products: Red Hat Gluster Storage 3.5 for RHEL 7 Native Client for RHEL 7 for Red Hat Storage Via RHSA-2020:4143 https://access.redhat.com/errata/RHSA-2020:4143 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10763 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633 |