The ceph-iscsi-cli package starts the rbd-target-api service in debug mode by default, which enables the underlying python-werkzeug debug console. A remote unauthenticated user can use the debug console to execute abitrary commands. Upstream Bug: https://github.com/ceph/ceph-iscsi-cli/issues/120
Statement: This issue affects the versions of ceph-iscsi-cli as shipped with Red Hat Ceph Storage 2 and 3. This flaw does not affect python-werkzeug library. It depends on if application uses python-werkzeug library with debug mode enabled.
Mitigation: To stop werkzeug debug mode started by rbd-target-api which is provided by ceph-iscsi-cli: 1. ~]# systemctl stop rbd-target-api 2. ~]# vi /usr/bin/rbd-target-api # Start the API server ... 737 app.run(host='0.0.0.0', 738 port=settings.config.api_port, 739 debug=True, <==== change this to debug=False use_evalex=False, <=== add this line to disable debugger code execution 740 use_reloader=False, 741 ssl_context=context) ... after changes it should be # Start the API server ... 737 app.run(host='0.0.0.0', 738 port=settings.config.api_port, 739 debug=False, use_evalex=False, 740 use_reloader=False, 741 ssl_context=context) ... 3. ~]# systemctl start rbd-target-api 4. Limit exposure of port 5000/tcp: This port should be opened to trusted hosts which require to run 'gwcli'.
upstream fix: https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b
External References: https://access.redhat.com/articles/3623521
This issue has been addressed in the following products: Red Hat Ceph Storage 3.1 for Red Hat Enterprise Linux 7 Via RHSA-2018:2838 https://access.redhat.com/errata/RHSA-2018:2838
This issue has been addressed in the following products: Red Hat Ceph Storage 2.5 for Red Hat Enterprise Linux 7 Via RHSA-2018:2837 https://access.redhat.com/errata/RHSA-2018:2837