Bug 1892109 (CVE-2020-25678)
Summary: | CVE-2020-25678 ceph: mgr modules' passwords are in clear text in mgr logs | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sage McTaggart <amctagga> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | amctagga, bniver, branto, danmick, david, dbecker, fedora, gfidente, hvyas, i, jdurgin, jjoyce, josef, jschluet, lhh, loic, lpeer, madam, mburns, mhicks, ocs-bugs, ramkrsna, sclewis, security-response-team, slinaber, slong, sostapov, steve |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in Ceph where Ceph stores mgr module passwords in clear text. This issue can be found by searching the mgr logs for Grafana and dashboard, with passwords visible. The highest threat from this vulnerability is to confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-04-28 22:46:36 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1885869, 1899764, 1900681, 1903757, 1910512, 1915506 | ||
Bug Blocks: | 1886169 |
Description
Sage McTaggart
2020-10-27 22:35:07 UTC
Upstream issue: https://tracker.ceph.com/issues/37503 Created ceph tracking bugs for this issue: Affects: fedora-all [bug 1900681] External References: https://tracker.ceph.com/issues/37503 Statement: * Red Hat Ceph Storage 4 is affected by this flaw, with the passwords visible under sudo. Red Hat Ceph Storage 3 is not affected by this flaw, and does not log passwords by default. * Red Hat OpenShift Container Storage (RHOCS) 4 shipped Ceph package for the usage of RHOCS 4.2 only, that has reached End Of Life. Hence, the Ceph package is no longer used and supported with the release of RHOCS 4.3. * Red Hat OpenStack Platform deployments use the Ceph package directly from the Ceph channel; the RHOSP package will not be updated at this time. This issue has been addressed in the following products: Red Hat Ceph Storage 4.2 Via RHSA-2021:1452 https://access.redhat.com/errata/RHSA-2021:1452 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25678 |