Bug 1121567 (CVE-2018-16889)

Summary: VUL-0: CVE-2018-16889: ceph: properly sanitize encryption keys in debug logging for v4 auth
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: alekshmanan, carlos.lopez, meissner, smash_bz, tserong
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/222597/
Whiteboard: CVSSv3:SUSE:CVE-2018-16889:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2019-01-11 09:31:06 UTC
rh#1665334

Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext.

Upstream Bug:
http://tracker.ceph.com/issues/37847
https://github.com/ceph/ceph/pull/25881/

Upstream Patch:
https://github.com/ceph/ceph/pull/25881/commits/ba55e2a96c9dfcc7aa2311431beaaa23cb05c30d

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1665334
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16889
Comment 1 Swamp Workflow Management 2019-02-26 20:10:15 UTC
SUSE-SU-2019:0499-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1111177,1113246,1114710,1121567
CVE References: CVE-2018-14662,CVE-2018-16846,CVE-2018-16889
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Server 12-SP4 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Server 12-SP3 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Enterprise Storage 5 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE CaaS Platform ALL (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE CaaS Platform 3.0 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
Comment 2 Swamp Workflow Management 2019-03-08 14:16:37 UTC
openSUSE-SU-2019:0306-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1111177,1113246,1114710,1121567
CVE References: CVE-2018-14662,CVE-2018-16846,CVE-2018-16889
Sources used:
openSUSE Leap 42.3 (src):    ceph-12.2.10+git.1549630712.bb089269ea-21.1, ceph-test-12.2.10+git.1549630712.bb089269ea-21.1
Comment 3 Nathan Cutler 2019-05-22 10:06:04 UTC
This is fixed in both SES5 and SES6:

* SES5: f8f30fc3718d723d58633db4b0ca838c5fa32a12
* SES6: 000797941fd303c3adc24f0089aeee0e902da205

The bsc# and CVE are mentioned in both changes files.

I'll leave the bug open, though, to track the fix for SES4.
Comment 10 Swamp Workflow Management 2019-08-05 19:14:05 UTC
SUSE-SU-2019:2049-1: An update that solves two vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1121567,1123360,1124957,1125080,1125899,1131984,1132396,1133139,1133461,1135030,1135219,1135221,1135388,1136110
CVE References: CVE-2018-16889,CVE-2019-3821
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ceph-14.2.1.468+g994fd9e0cc-3.3.2, ceph-test-14.2.1.468+g994fd9e0cc-3.3.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ceph-14.2.1.468+g994fd9e0cc-3.3.2
SUSE Enterprise Storage 6 (src):    ceph-14.2.1.468+g994fd9e0cc-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Nathan Cutler 2019-08-15 13:37:49 UTC
Fixed in SES6 and SES5. Not applicable to SES4.
Comment 13 Swamp Workflow Management 2019-09-12 13:12:07 UTC
SUSE-SU-2019:2364-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1121567,1149961
CVE References: CVE-2018-16889
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ceph-12.2.12+git.1568024032.02236657ca-2.39.1
SUSE Linux Enterprise Server 12-SP4 (src):    ceph-12.2.12+git.1568024032.02236657ca-2.39.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ceph-12.2.12+git.1568024032.02236657ca-2.39.1
SUSE Enterprise Storage 5 (src):    ceph-12.2.12+git.1568024032.02236657ca-2.39.1
SUSE CaaS Platform 3.0 (src):    ceph-12.2.12+git.1568024032.02236657ca-2.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Tim Serong 2022-08-16 05:11:58 UTC
Looking at the original issue, my reading is that this problem only affects the logs for the RGW server, which we ship in SES, and that it's fixed in all affected SES releases.

The fix has *not* been applied to ceph 13.x in SLE 15 GA, but that should not matter, as SLE 15 basesystem only includes ceph client tools and libraries, and thus cannot be used to run an RGW server.