Bug 1111177 (CVE-2018-14662)

Summary: VUL-1: CVE-2018-14662: ceph: LUKS "config-key" safety issue
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Nathan Cutler <ncutler>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: atoptsoglou, jluis, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv3:SUSE:CVE-2018-14662:1.8:(AV:P/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) CVSSv3:RedHat:CVE-2018-14662:3.5:(AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVSSv2:NVD:CVE-2018-14662:2.7:(AV:A/AC:L/Au:S/C:P/I:N/A:N) CVSSv3:NVD:CVE-2018-14662:5.7:(AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Johannes Segitz 2018-10-10 07:31:35 UTC
This is a embargoed bug. This means that this information is not public. Please
- do not talk to other people about this unless they're involved in fixing the issue
- do not submit this into OBS (e.g. fix Leap) until this is public
- do not make this bug public
- Please be aware that the SUSE:SLE-12-SP4:GA and SUSE:SLE-15-SP1:GA codestreams are available via OBS.
  This means that you can't submit security fixes for embargoed issues to these GA codestreams under
  development until they become public.

In doubt please talk to us on IRC (#security) or sent us a mail.
Comment 2 Nathan Cutler 2019-01-22 13:28:53 UTC
This bug is now public - see https://ceph.com/releases/13-2-4-mimic-released/
Comment 5 Swamp Workflow Management 2019-02-26 20:09:41 UTC
SUSE-SU-2019:0499-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1111177,1113246,1114710,1121567
CVE References: CVE-2018-14662,CVE-2018-16846,CVE-2018-16889
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Server 12-SP4 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Server 12-SP3 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Enterprise Storage 5 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE CaaS Platform ALL (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE CaaS Platform 3.0 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
Comment 6 Swamp Workflow Management 2019-03-08 14:16:12 UTC
openSUSE-SU-2019:0306-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1111177,1113246,1114710,1121567
CVE References: CVE-2018-14662,CVE-2018-16846,CVE-2018-16889
Sources used:
openSUSE Leap 42.3 (src):    ceph-12.2.10+git.1549630712.bb089269ea-21.1, ceph-test-12.2.10+git.1549630712.bb089269ea-21.1
Comment 7 Swamp Workflow Management 2019-03-11 13:20:35 UTC
This is an autogenerated message for OBS integration:
This bug (1111177) was mentioned in
https://build.opensuse.org/request/show/683881 15.0 / ceph
Comment 8 Swamp Workflow Management 2019-03-12 20:15:32 UTC
SUSE-SU-2019:0586-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1084645,1086613,1096748,1099162,1101262,1111177,1114567
CVE References: CVE-2018-10861,CVE-2018-1128,CVE-2018-1129,CVE-2018-14662,CVE-2018-16846
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ceph-13.2.4.125+gad802694f5-3.7.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    ceph-13.2.4.125+gad802694f5-3.7.2
Comment 9 Swamp Workflow Management 2019-04-27 22:33:21 UTC
openSUSE-SU-2019:1284-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1084645,1086613,1096748,1099162,1101262,1111177,1114567,1114710
CVE References: CVE-2018-10861,CVE-2018-1128,CVE-2018-1129,CVE-2018-14662,CVE-2018-16846
Sources used:
openSUSE Leap 15.0 (src):    ceph-13.2.4.125+gad802694f5-lp150.2.3.1, ceph-test-13.2.4.125+gad802694f5-lp150.2.3.1