1892108 – (CVE-2020-25677) CVE-2020-25677 ceph-ansible: insecure ownership on /etc/ceph/iscsi-gateway.conf configuration file

Bug 1892108 (CVE-2020-25677) - CVE-2020-25677 ceph-ansible: insecure ownership on /etc/ceph/iscsi-gateway.conf configuration file

Summary: CVE-2020-25677 ceph-ansible: insecure ownership on /etc/ceph/iscsi-gateway.co...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-25677
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1892106 (view as bug list)
Depends On:	1899797 1890119 1894819 1899793
Blocks:	1890245
TreeView+	depends on / blocked

Reported:	2020-10-27 22:24 UTC by Sage McTaggart
Modified:	2021-02-23 09:49 UTC (History)
CC List:	20 users (show)
Fixed In Version:	ceph-ansible-4.0.41
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Ceph-ansible where it creates an /etc/ceph/iscsi-gateway.conf with insecure default permissions. This flaw allows any user on the system to read sensitive information within this file. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed:	2021-01-12 18:27:46 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:0081	0	None	None	None	2021-01-12 14:55:54 UTC

Description Sage McTaggart 2020-10-27 22:24:23 UTC

ceph-ansible creates /etc/ceph/iscsi-gateway.conf with insecure ownership. This file contains sensitive information that can be read by any user on the system.

Comment 2 Tomas Hoger 2020-10-28 18:55:23 UTC

*** Bug 1892106 has been marked as a duplicate of this bug. ***

Comment 3 Summer Long 2020-11-05 07:07:30 UTC

Upstream fix: https://github.com/ceph/ceph-ansible/pull/5964

RHOSP13(queens): 'deploy gateway settings' was still in tasks/prerequisites.yml (moved later to tasks/common.yml), but has the same error (600 mode isn't specified for the iscsi-gateway.cfg file).

Comment 12 Sage McTaggart 2020-11-20 02:42:25 UTC

Statement:

Red Hat OpenStack Platform 13 ships the flawed code, however RHOSP does not deploy ceph-iscsi-gw role in any supported scenario.  For this reason, a ceph-ansible update will not be provided at this time.

Red Hat Ceph Storage 3 and 4 create /etc/ceph/iscsi-gateway.conf with the insecure permissions.

Comment 14 errata-xmlrpc 2021-01-12 14:56:32 UTC

This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.2

Via RHSA-2021:0081 https://access.redhat.com/errata/RHSA-2021:0081

Comment 15 Product Security DevOps Team 2021-01-12 18:27:46 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25677

Note You need to log in before you can comment on or make changes to this bug.

amctagga
anharris
bniver
dbecker
flucifre
gabrioux
gfidente
gmeno
hvyas
jjoyce
jschluet
lhh
lpeer
mbenjamin
mburns
mhackett
sclewis
security-response-team
slinaber
vereddy