Bug 1795592 (CVE-2020-1716) - CVE-2020-1716 ceph-ansible: hard coded credential in ceph-ansible playbook
Summary: CVE-2020-1716 ceph-ansible: hard coded credential in ceph-ansible playbook
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1716
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1795509 1795602 1795779 1813137
Blocks: 1794731
TreeView+ depends on / blocked
 
Reported: 2020-01-28 12:14 UTC by Dhananjay Arunesh
Modified: 2024-06-13 22:26 UTC (History)
17 users (show)

Fixed In Version: ceph-ansible 6.0.0alpha1
Doc Type: Known Issue
Doc Text:
A flaw was found in the ceph-ansible playbook where it contained hardcoded passwords that were being used as default passwords while deploying Ceph services. Any authenticated attacker can abuse this flaw to brute-force Ceph deployments, and gain administrator access to Ceph clusters via the Ceph dashboard to initiate read, write, and delete Ceph clusters and also modify Ceph cluster configurations.
Clone Of:
Environment:
Last Closed: 2020-05-19 21:15:20 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2231 0 None None None 2020-05-19 17:30:41 UTC

Description Dhananjay Arunesh 2020-01-28 12:14:24 UTC
A vulnerability was found in ceph-ansible, where hard-coded passwords were found in roles/ceph-defaults/defaults/main.yml.

Reference:
https://github.com/ceph/ceph-ansible/blob/bb3eae0c8033dc0ffbee44f490f6ad483bd109b9/roles/ceph-defaults/defaults/main.yml

Comment 6 Siddharth Sharma 2020-01-29 04:06:43 UTC
upstream fix

https://github.com/ceph/ceph-ansible/pull/4998

Comment 8 Dhananjay Arunesh 2020-02-11 09:27:57 UTC
Acknowledgments:

Name: Sarthak Srivastava

Comment 9 Joshua Padman 2020-03-13 02:47:08 UTC
Statement:

The version of ceph-ansible included in Red Hat OpenStack 15 was temporary, OpenStack 15 installations will consume updates to this package from Ceph channels.

Comment 10 Joshua Padman 2020-03-13 02:47:33 UTC
Created ceph-ansible tracking bugs for this issue:

Affects: fedora-30 [bug 1813137]

Comment 11 errata-xmlrpc 2020-05-19 17:30:39 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.1

Via RHSA-2020:2231 https://access.redhat.com/errata/RHSA-2020:2231

Comment 12 Product Security DevOps Team 2020-05-19 21:15:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1716


Note You need to log in before you can comment on or make changes to this bug.