Mgr modules' passwords are in clear text in mgr logs, visible as plaintext with sudo.
Upstream issue: https://tracker.ceph.com/issues/37503
Created ceph tracking bugs for this issue: Affects: fedora-all [bug 1900681]
External References: https://tracker.ceph.com/issues/37503
Statement: * Red Hat Ceph Storage 4 is affected by this flaw, with the passwords visible under sudo. Red Hat Ceph Storage 3 is not affected by this flaw, and does not log passwords by default. * Red Hat OpenShift Container Storage (RHOCS) 4 shipped Ceph package for the usage of RHOCS 4.2 only, that has reached End Of Life. Hence, the Ceph package is no longer used and supported with the release of RHOCS 4.3. * Red Hat OpenStack Platform deployments use the Ceph package directly from the Ceph channel; the RHOSP package will not be updated at this time.
This issue has been addressed in the following products: Red Hat Ceph Storage 4.2 Via RHSA-2021:1452 https://access.redhat.com/errata/RHSA-2021:1452
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25678