The reuse of old keys to generate new ones, in conjunction with the ability for a user to request any global id, presents an opportunity for an attacker to request a previously valid global id without the corresponding prior key.
Name: Ilya Dryomov (Red Hat)
* Red Hat OpenShift Container Storage (RHOCS) 4 shipped ceph package for the usage of RHOCS 4.2 only, that has reached End Of Life. The shipped version of ceph package is no longer used and supported with the release of RHOCS 4.3.
* Red Hat OpenStack Platform deployments use the ceph package directly from the Ceph channel; the RHOSP ceph package will not be updated at this time.
* The ceph packages included in Red Hat Enterprise Linux only provide client side libraries and tools and therefore are not affected by this issue affecting ceph-mon service.
https://github.com/ceph/ceph/commits/nautilus (commits on top of 14.2.19)
https://github.com/ceph/ceph/commits/octopus (commits on top of 15.2.10)
https://github.com/ceph/ceph/commits/pacific (commits on top of 16.2.0)
Merged into master:
Created ceph tracking bugs for this issue:
Affects: fedora-all [bug 1952085]