Bug 1665334 (CVE-2018-16889) - CVE-2018-16889 ceph: debug logging for v4 auth does not sanitize encryption keys
Summary: CVE-2018-16889 ceph: debug logging for v4 auth does not sanitize encryption keys
Status: NEW
Alias: CVE-2018-16889
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190110,repor...
Keywords: Security
Depends On: 1669387 1665335
Blocks: 1658871
TreeView+ depends on / blocked
 
Reported: 2019-01-11 02:01 UTC by Sam Fowler
Modified: 2019-06-08 23:48 UTC (History)
11 users (show)

(edit)
It was found that Ceph RGW did not properly sanitize encryption keys in debug logging for v4 auth. Encryption keys could be inadvertently disclosed when sharing debug logs.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Sam Fowler 2019-01-11 02:01:25 UTC
Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext.


Upstream Patch:

https://github.com/ceph/ceph/pull/25881/commits


Upstream Bug:

http://tracker.ceph.com/issues/37847

Comment 1 Sam Fowler 2019-01-11 02:01:39 UTC
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1665335]


Note You need to log in before you can comment on or make changes to this bug.