Bug 1901330 (CVE-2020-27839) - CVE-2020-27839 ceph-dashboard: Don't use Browser's LocalStorage for storing JWT but Secure Cookies with proper HTTP Headers
Summary: CVE-2020-27839 ceph-dashboard: Don't use Browser's LocalStorage for storing J...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-27839
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1906948 1906954 1910511
Blocks: 1898181
TreeView+ depends on / blocked
 
Reported: 2020-11-24 21:21 UTC by Sage McTaggart
Modified: 2023-09-05 12:18 UTC (History)
33 users (show)

Fixed In Version: ceph-dashboard 14.2.17, ceph-dashboard 15.2.9
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ceph-dashboard. The JSON Web Token (JWT) used for user authentication is stored by the frontend application in the browser’s localStorage which is potentially vulnerable to attackers via XSS attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2021-06-15 21:03:54 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 44591 0 None None None 2021-01-12 00:21:15 UTC
Red Hat Bugzilla 1889435 1 medium CLOSED (CVE-2020-27839) [security] Don't use Browser's LocalStorage for storing JWT but Secure Cookies with proper HTTP Headers 2021-08-30 08:31:33 UTC
Red Hat Product Errata RHSA-2021:2445 0 None None None 2021-06-15 17:13:02 UTC

Description Sage McTaggart 2020-11-24 21:21:55 UTC 
Issue:

The JSON Web Token (JWT) used for user authentication is stored the by the frontend application in the browser’s localStorage.


Suggestion:

Do not store sensitive data in HTML5 localStorage, not even temporarily. Use cookies with appropriate security flags (secure, HttpOnly, SameSite).
Comment 6 Sage McTaggart 2020-12-11 22:39:41 UTC 
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1906954]
Comment 10 Sage McTaggart 2020-12-17 18:34:46 UTC 
https://tracker.ceph.com/issues/44591 attaching ceph tracker for reference.
Comment 12 Eric Christensen 2021-02-17 20:14:48 UTC 
Statement:

* Red Hat Ceph Storage 3 is not affected as it does not use authentication for the dashboard.

* Red Hat OpenStack Platform deployments use the ceph package directly from the Ceph channel; the RHOSP package will not be updated at this time.

* Red Hat OpenShift Container Storage (RHOCS) 4 shipped ceph package for the usage of RHOCS 4.2 only which has reached End of Life. The shipped version of ceph package is neither used nor supported with the release of RHOCS 4.3.

* Red Hat Enterprise Linux 8 does not include the ceph dashboard component.
Comment 13 Eric Christensen 2021-02-17 20:14:50 UTC 
Mitigation:

Do not store sensitive data in HTML5 localStorage, not even temporarily. Use cookies with appropriate security flags (secure, HttpOnly, SameSite).
Comment 14 errata-xmlrpc 2021-06-15 17:12:58 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.2

Via RHSA-2021:2445 https://access.redhat.com/errata/RHSA-2021:2445
Comment 15 Product Security DevOps Team 2021-06-15 21:03:54 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27839
Note You need to log in before you can comment on or make changes to this bug.