Bug 1892109 (CVE-2020-25678) - CVE-2020-25678 ceph: mgr modules' passwords are in clear text in mgr logs
Summary: CVE-2020-25678 ceph: mgr modules' passwords are in clear text in mgr logs
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25678
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1885869 1899764 1900681 1903757 1910512 1915506
Blocks: 1886169
TreeView+ depends on / blocked
 
Reported: 2020-10-27 22:35 UTC by Sage McTaggart
Modified: 2023-09-05 12:18 UTC (History)
28 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ceph where Ceph stores mgr module passwords in clear text. This issue can be found by searching the mgr logs for Grafana and dashboard, with passwords visible. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed: 2021-04-28 22:46:36 UTC
Embargoed:

Attachments (Terms of Use)

Description Sage McTaggart 2020-10-27 22:35:07 UTC 
Mgr modules' passwords are in clear text in mgr logs, visible as plaintext with sudo.
Comment 10 Summer Long 2020-11-23 00:18:59 UTC 
Upstream issue: https://tracker.ceph.com/issues/37503
Comment 12 Sage McTaggart 2020-11-23 14:18:10 UTC 
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1900681]
Comment 14 Sage McTaggart 2020-11-23 22:35:53 UTC 
External References:

https://tracker.ceph.com/issues/37503
Comment 16 RaTasha Tillery-Smith 2021-02-10 14:48:35 UTC 
Statement:

* Red Hat Ceph Storage 4 is affected by this flaw, with the passwords visible under sudo. Red Hat Ceph Storage 3 is not affected by this flaw, and does not log passwords by default. 

* Red Hat OpenShift Container Storage (RHOCS) 4 shipped Ceph package for the usage of RHOCS 4.2 only, that has reached End Of Life. Hence, the Ceph package is no longer used and supported with the release of RHOCS 4.3.

* Red Hat OpenStack Platform deployments use the Ceph package directly from the Ceph channel; the RHOSP package will not be updated at this time.
Comment 18 errata-xmlrpc 2021-04-28 20:12:30 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.2

Via RHSA-2021:1452 https://access.redhat.com/errata/RHSA-2021:1452
Comment 19 Product Security DevOps Team 2021-04-28 22:46:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25678
Note You need to log in before you can comment on or make changes to this bug.