Bug 1901330 (CVE-2020-27839)
Summary: | CVE-2020-27839 ceph-dashboard: Don't use Browser's LocalStorage for storing JWT but Secure Cookies with proper HTTP Headers | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sage McTaggart <amctagga> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | amctagga, anharris, bniver, branto, danmick, david, dbecker, fedora, flucifre, gfidente, gmeno, hvyas, i, jdurgin, jjoyce, josef, jschluet, kdreyer, lhh, loic, lpeer, madam, mbenjamin, mburns, mhackett, mhicks, ocs-bugs, ramkrsna, sclewis, slinaber, sostapov, steve, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ceph-dashboard 14.2.17, ceph-dashboard 15.2.9 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in ceph-dashboard. The JSON Web Token (JWT) used for user authentication is stored by the frontend application in the browser’s localStorage which is potentially vulnerable to attackers via XSS attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-06-15 21:03:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1906948, 1906954, 1910511 | ||
Bug Blocks: | 1898181 |
Description
Sage McTaggart
2020-11-24 21:21:55 UTC
Created ceph tracking bugs for this issue: Affects: fedora-all [bug 1906954] https://tracker.ceph.com/issues/44591 attaching ceph tracker for reference. Statement: * Red Hat Ceph Storage 3 is not affected as it does not use authentication for the dashboard. * Red Hat OpenStack Platform deployments use the ceph package directly from the Ceph channel; the RHOSP package will not be updated at this time. * Red Hat OpenShift Container Storage (RHOCS) 4 shipped ceph package for the usage of RHOCS 4.2 only which has reached End of Life. The shipped version of ceph package is neither used nor supported with the release of RHOCS 4.3. * Red Hat Enterprise Linux 8 does not include the ceph dashboard component. Mitigation: Do not store sensitive data in HTML5 localStorage, not even temporarily. Use cookies with appropriate security flags (secure, HttpOnly, SameSite). This issue has been addressed in the following products: Red Hat Ceph Storage 4.2 Via RHSA-2021:2445 https://access.redhat.com/errata/RHSA-2021:2445 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27839 |