Bug 1845387 (CVE-2020-10763) - CVE-2020-10763 heketi: gluster-block volume password details available in logs
Summary: CVE-2020-10763 heketi: gluster-block volume password details available in logs
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10763
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1845388 1853545 1854255 1854256 1877066
Blocks: 1844590
TreeView+ depends on / blocked
 
Reported: 2020-06-09 05:49 UTC by Hardik Vyas
Modified: 2021-02-24 15:10 UTC (History)
28 users (show)

Fixed In Version: heketi 10.1.0
Doc Type: If docs needed, set a value
Doc Text:
An information-disclosure flaw was found in the way Heketi logs sensitive information. This flaw allows an attacker with local access to the Heketi server, to read potentially sensitive information, such as gluster-block passwords.
Clone Of:
Environment:
Last Closed: 2020-09-30 20:21:12 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4143 0 None None None 2020-09-30 15:17:19 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:10:04 UTC

Description Hardik Vyas 2020-06-09 05:49:45 UTC 
While requesting a new block volume creation, at Heketi we dump the sensitive gluster-block volumes PASSWORD details in the logs. This is a very old bug, starting from the introduction of block volume support to heketi-v6.0.0.
Comment 1 Hardik Vyas 2020-06-09 05:49:49 UTC 
Acknowledgments:

Name: Prasanna Kumar Kalever (Red Hat)
Comment 2 Hardik Vyas 2020-06-09 05:49:51 UTC 
Statement:

The version of heketi shipped with Red Hat Gluster Storage 3 does not filter out gluster-block volume passwords, hence affected by this vulnerability.
Comment 3 Hardik Vyas 2020-06-09 05:49:53 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 8 Jason Shepherd 2020-07-07 00:32:15 UTC 
OpenShift 3.11 uses heketi-v4.0.0-95-gaaf40619 which isn't affected by this issue.

The efs-provisioner container in OpenShift 4 doesn't include the vulnerable package (executors/cmdexec/block_volume) [1]

[1] https://github.com/openshift/external-storage/blob/34efc4c2dc0f7032db94b760a9c563ef914cd285/Gopkg.lock#L325
Comment 17 Hardik Vyas 2020-09-30 14:51:51 UTC 
Upstream PR: https://github.com/heketi/heketi/pull/1790
Comment 19 Hardik Vyas 2020-09-30 14:53:59 UTC 
External References:

https://github.com/heketi/heketi/releases/tag/v10.1.0
Comment 20 errata-xmlrpc 2020-09-30 15:17:16 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7
  Native Client for RHEL 7 for Red Hat Storage

Via RHSA-2020:4143 https://access.redhat.com/errata/RHSA-2020:4143
Comment 21 Product Security DevOps Team 2020-09-30 20:21:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10763
Comment 23 errata-xmlrpc 2021-02-24 15:10:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633
Note You need to log in before you can comment on or make changes to this bug.