Bug 1892108 (CVE-2020-25677) - CVE-2020-25677 ceph-ansible: insecure ownership on /etc/ceph/iscsi-gateway.conf configuration file
Summary: CVE-2020-25677 ceph-ansible: insecure ownership on /etc/ceph/iscsi-gateway.co...
Alias: CVE-2020-25677
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
: Embargoed1892106 (view as bug list)
Depends On: Red Hat1899797 Red Hat1890119 Embargoed1894819 Embargoed1899793
Blocks: Embargoed1890245
TreeView+ depends on / blocked
Reported: 2020-10-27 22:24 UTC by Sage McTaggart
Modified: 2021-02-23 09:49 UTC (History)
20 users (show)

Fixed In Version: ceph-ansible-4.0.41
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ceph-ansible where it creates an /etc/ceph/iscsi-gateway.conf with insecure default permissions. This flaw allows any user on the system to read sensitive information within this file. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Last Closed: 2021-01-12 18:27:46 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0081 0 None None None 2021-01-12 14:55:54 UTC

Description Sage McTaggart 2020-10-27 22:24:23 UTC
ceph-ansible creates /etc/ceph/iscsi-gateway.conf with insecure ownership. This file contains sensitive information that can be read by any user on the system.

Comment 2 Tomas Hoger 2020-10-28 18:55:23 UTC
*** EmbargoedBug 1892106 has been marked as a duplicate of this bug. ***

Comment 3 Summer Long 2020-11-05 07:07:30 UTC
Upstream fix: https://github.com/ceph/ceph-ansible/pull/5964

RHOSP13(queens): 'deploy gateway settings' was still in tasks/prerequisites.yml (moved later to tasks/common.yml), but has the same error (600 mode isn't specified for the iscsi-gateway.cfg file).

Comment 12 Sage McTaggart 2020-11-20 02:42:25 UTC

Red Hat OpenStack Platform 13 ships the flawed code, however RHOSP does not deploy ceph-iscsi-gw role in any supported scenario.  For this reason, a ceph-ansible update will not be provided at this time.

Red Hat Ceph Storage 3 and 4 create /etc/ceph/iscsi-gateway.conf with the insecure permissions.

Comment 14 errata-xmlrpc 2021-01-12 14:56:32 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.2

Via RHSA-2021:0081 https://access.redhat.com/errata/RHSA-2021:0081

Comment 15 Product Security DevOps Team 2021-01-12 18:27:46 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.