Bug 1121567 – VUL-0: CVE-2018-16889: ceph: properly sanitize encryption keys in debug logging for v4 auth

Bug 1121567 - (CVE-2018-16889) VUL-0: CVE-2018-16889: ceph: properly sanitize encryption keys in debug logging for v4 auth

(CVE-2018-16889)
Summary:	VUL-0: CVE-2018-16889: ceph: properly sanitize encryption keys in debug loggi...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/222597/
Whiteboard:	CVSSv3:SUSE:CVE-2018-16889:5.5:(AV:L/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-01-11 09:31 UTC by Alexander Bergmann
Modified:	2022-08-16 07:39 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2019-01-11 09:31:06 UTC

rh#1665334

Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext.

Upstream Bug:
http://tracker.ceph.com/issues/37847
https://github.com/ceph/ceph/pull/25881/

Upstream Patch:
https://github.com/ceph/ceph/pull/25881/commits/ba55e2a96c9dfcc7aa2311431beaaa23cb05c30d

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1665334
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16889

Comment 1 Swamp Workflow Management 2019-02-26 20:10:15 UTC

SUSE-SU-2019:0499-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1111177,1113246,1114710,1121567
CVE References: CVE-2018-14662,CVE-2018-16846,CVE-2018-16889
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Server 12-SP4 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Server 12-SP3 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Enterprise Storage 5 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE CaaS Platform ALL (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE CaaS Platform 3.0 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2

Comment 2 Swamp Workflow Management 2019-03-08 14:16:37 UTC

openSUSE-SU-2019:0306-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1111177,1113246,1114710,1121567
CVE References: CVE-2018-14662,CVE-2018-16846,CVE-2018-16889
Sources used:
openSUSE Leap 42.3 (src):    ceph-12.2.10+git.1549630712.bb089269ea-21.1, ceph-test-12.2.10+git.1549630712.bb089269ea-21.1

Comment 3 Nathan Cutler 2019-05-22 10:06:04 UTC

This is fixed in both SES5 and SES6:

* SES5: f8f30fc3718d723d58633db4b0ca838c5fa32a12
* SES6: 000797941fd303c3adc24f0089aeee0e902da205

The bsc# and CVE are mentioned in both changes files.

I'll leave the bug open, though, to track the fix for SES4.

Comment 10 Swamp Workflow Management 2019-08-05 19:14:05 UTC

SUSE-SU-2019:2049-1: An update that solves two vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1121567,1123360,1124957,1125080,1125899,1131984,1132396,1133139,1133461,1135030,1135219,1135221,1135388,1136110
CVE References: CVE-2018-16889,CVE-2019-3821
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ceph-14.2.1.468+g994fd9e0cc-3.3.2, ceph-test-14.2.1.468+g994fd9e0cc-3.3.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ceph-14.2.1.468+g994fd9e0cc-3.3.2
SUSE Enterprise Storage 6 (src):    ceph-14.2.1.468+g994fd9e0cc-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Nathan Cutler 2019-08-15 13:37:49 UTC

Fixed in SES6 and SES5. Not applicable to SES4.

Comment 13 Swamp Workflow Management 2019-09-12 13:12:07 UTC

SUSE-SU-2019:2364-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1121567,1149961
CVE References: CVE-2018-16889
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ceph-12.2.12+git.1568024032.02236657ca-2.39.1
SUSE Linux Enterprise Server 12-SP4 (src):    ceph-12.2.12+git.1568024032.02236657ca-2.39.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ceph-12.2.12+git.1568024032.02236657ca-2.39.1
SUSE Enterprise Storage 5 (src):    ceph-12.2.12+git.1568024032.02236657ca-2.39.1
SUSE CaaS Platform 3.0 (src):    ceph-12.2.12+git.1568024032.02236657ca-2.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Tim Serong 2022-08-16 05:11:58 UTC

Looking at the original issue, my reading is that this problem only affects the logs for the RGW server, which we ship in SES, and that it's fixed in all affected SES releases.

The fix has *not* been applied to ceph 13.x in SLE 15 GA, but that should not matter, as SLE 15 basesystem only includes ceph client tools and libraries, and thus cannot be used to run an RGW server.