Bug 1892108 (CVE-2020-25677) - CVE-2020-25677 ceph-ansible: insecure ownership on /etc/ceph/iscsi-gateway.conf configuration file
Summary: CVE-2020-25677 ceph-ansible: insecure ownership on /etc/ceph/iscsi-gateway.co...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25677
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1892106 (view as bug list)
Depends On: 1899797 1890119 1894819 1899793
Blocks: 1890245
TreeView+ depends on / blocked
 
Reported: 2020-10-27 22:24 UTC by amctagga
Modified: 2021-02-23 09:49 UTC (History)
20 users (show)

Fixed In Version: ceph-ansible-4.0.41
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ceph-ansible where it creates an /etc/ceph/iscsi-gateway.conf with insecure default permissions. This flaw allows any user on the system to read sensitive information within this file. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed: 2021-01-12 18:27:46 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0081 0 None None None 2021-01-12 14:55:54 UTC

Description amctagga 2020-10-27 22:24:23 UTC
ceph-ansible creates /etc/ceph/iscsi-gateway.conf with insecure ownership. This file contains sensitive information that can be read by any user on the system.

Comment 2 Tomas Hoger 2020-10-28 18:55:23 UTC
*** Bug 1892106 has been marked as a duplicate of this bug. ***

Comment 3 Summer Long 2020-11-05 07:07:30 UTC
Upstream fix: https://github.com/ceph/ceph-ansible/pull/5964

RHOSP13(queens): 'deploy gateway settings' was still in tasks/prerequisites.yml (moved later to tasks/common.yml), but has the same error (600 mode isn't specified for the iscsi-gateway.cfg file).

Comment 12 amctagga 2020-11-20 02:42:25 UTC
Statement:

Red Hat OpenStack Platform 13 ships the flawed code, however RHOSP does not deploy ceph-iscsi-gw role in any supported scenario.  For this reason, a ceph-ansible update will not be provided at this time.

Red Hat Ceph Storage 3 and 4 create /etc/ceph/iscsi-gateway.conf with the insecure permissions.

Comment 14 errata-xmlrpc 2021-01-12 14:56:32 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.2

Via RHSA-2021:0081 https://access.redhat.com/errata/RHSA-2021:0081

Comment 15 Product Security DevOps Team 2021-01-12 18:27:46 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25677


Note You need to log in before you can comment on or make changes to this bug.