Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 1506625

Summary: CVE-2017-12155 allow ceph-ansible to set permissions and then ACL of ceph keyrings
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: John Fulton <johfulto>
Component: Ceph-AnsibleAssignee: Sébastien Han <shan>
Status: CLOSED ERRATA QA Contact: John Fulton <johfulto>
Severity: high Docs Contact:
Priority: high    
Version: 3.0CC: adeza, anharris, aschoen, ceph-eng-bugs, ceph-qe-bugs, gmeno, hnallurv, jefbrown, johfulto, kdreyer, nthomas, ohochman, sankarshan, sasha, yrabl
Target Milestone: rc   
Target Release: 3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: RHEL: ceph-ansible-3.0.13-1.el7cp Ubuntu: ceph-ansible_3.0.13-2redhat1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1514264 1514265 (view as bug list) Environment:
Last Closed: 2017-12-05 23:49:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1491470, 1514264, 1514265    

Description John Fulton 2017-10-26 13:12:37 UTC 
ceph-ansible needs the ability to set the permissions and then the ACLs of a Ceph keyring file in order for OSP12 to be able to solve the following security CVE: 

 https://access.redhat.com/security/cve/CVE-2017-12155

This issue is tracked in upstream ceph-ansible by: 

 https://github.com/ceph/ceph-ansible/issues/2092

and solved by the following PR in upstream ceph-ansible: 

 https://github.com/ceph/ceph-ansible/pull/2110

When the above PR is used in combination with the following tripleo heat templates: 

 https://review.openstack.org/#/c/508975 

this issue will be solved. 

This will be a blocker for OSP12 and will need to be backported to whatever version of ceph-ansible is shipped with OSP12.
Comment 3 John Fulton 2017-10-26 13:15:12 UTC 
Setting target release to 3.0 as this security issue will block OSP12 (assuming ceph-ansible 3.0 will ship with OSP12).
Comment 9 Sébastien Han 2017-10-27 07:57:46 UTC 
Upstream has merged, fix will be in 3.0.7, https://github.com/ceph/ceph-ansible/releases/tag/v3.0.7

Ken, please build a package :).
Comment 18 John Fulton 2017-11-03 22:10:43 UTC 
When the fixed-in version (ceph-ansible-3.0.7) is tested with OpenStack as trigged by OSPd (puddle for verson 12 10.31.1), the permissions and ACLs are set correctly.
Comment 21 John Fulton 2017-11-15 16:23:41 UTC 
Upstream merged:
https://github.com/ceph/ceph-ansible/pull/2174#pullrequestreview-76695289
Comment 28 John Fulton 2017-11-16 19:58:06 UTC 
The following merged, moving to POST.

 https://github.com/ceph/ceph-ansible/pull/2189
Comment 33 Omri Hochman 2017-11-16 23:10:39 UTC 
cloned to osp12 , to be verify there, as it blocks deployment with ceph . https://bugzilla.redhat.com/show_bug.cgi?id=1514265
Comment 37 errata-xmlrpc 2017-12-05 23:49:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3387