Bugzilla – Bug 1121567
VUL-0: CVE-2018-16889: ceph: properly sanitize encryption keys in debug logging for v4 auth
Last modified: 2021-07-19 10:43:32 UTC
rh#1665334 Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Upstream Bug: http://tracker.ceph.com/issues/37847 https://github.com/ceph/ceph/pull/25881/ Upstream Patch: https://github.com/ceph/ceph/pull/25881/commits/ba55e2a96c9dfcc7aa2311431beaaa23cb05c30d References: https://bugzilla.redhat.com/show_bug.cgi?id=1665334 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16889
SUSE-SU-2019:0499-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1111177,1113246,1114710,1121567 CVE References: CVE-2018-14662,CVE-2018-16846,CVE-2018-16889 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): ceph-12.2.10+git.1549630712.bb089269ea-2.27.2 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): ceph-12.2.10+git.1549630712.bb089269ea-2.27.2 SUSE Linux Enterprise Server 12-SP4 (src): ceph-12.2.10+git.1549630712.bb089269ea-2.27.2 SUSE Linux Enterprise Server 12-SP3 (src): ceph-12.2.10+git.1549630712.bb089269ea-2.27.2 SUSE Linux Enterprise Desktop 12-SP4 (src): ceph-12.2.10+git.1549630712.bb089269ea-2.27.2 SUSE Linux Enterprise Desktop 12-SP3 (src): ceph-12.2.10+git.1549630712.bb089269ea-2.27.2 SUSE Enterprise Storage 5 (src): ceph-12.2.10+git.1549630712.bb089269ea-2.27.2 SUSE CaaS Platform ALL (src): ceph-12.2.10+git.1549630712.bb089269ea-2.27.2 SUSE CaaS Platform 3.0 (src): ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
openSUSE-SU-2019:0306-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1111177,1113246,1114710,1121567 CVE References: CVE-2018-14662,CVE-2018-16846,CVE-2018-16889 Sources used: openSUSE Leap 42.3 (src): ceph-12.2.10+git.1549630712.bb089269ea-21.1, ceph-test-12.2.10+git.1549630712.bb089269ea-21.1
This is fixed in both SES5 and SES6: * SES5: f8f30fc3718d723d58633db4b0ca838c5fa32a12 * SES6: 000797941fd303c3adc24f0089aeee0e902da205 The bsc# and CVE are mentioned in both changes files. I'll leave the bug open, though, to track the fix for SES4.
SUSE-SU-2019:2049-1: An update that solves two vulnerabilities and has 12 fixes is now available. Category: security (important) Bug References: 1121567,1123360,1124957,1125080,1125899,1131984,1132396,1133139,1133461,1135030,1135219,1135221,1135388,1136110 CVE References: CVE-2018-16889,CVE-2019-3821 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): ceph-14.2.1.468+g994fd9e0cc-3.3.2, ceph-test-14.2.1.468+g994fd9e0cc-3.3.2 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): ceph-14.2.1.468+g994fd9e0cc-3.3.2 SUSE Enterprise Storage 6 (src): ceph-14.2.1.468+g994fd9e0cc-3.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Fixed in SES6 and SES5. Not applicable to SES4.
SUSE-SU-2019:2364-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1121567,1149961 CVE References: CVE-2018-16889 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): ceph-12.2.12+git.1568024032.02236657ca-2.39.1 SUSE Linux Enterprise Server 12-SP4 (src): ceph-12.2.12+git.1568024032.02236657ca-2.39.1 SUSE Linux Enterprise Desktop 12-SP4 (src): ceph-12.2.12+git.1568024032.02236657ca-2.39.1 SUSE Enterprise Storage 5 (src): ceph-12.2.12+git.1568024032.02236657ca-2.39.1 SUSE CaaS Platform 3.0 (src): ceph-12.2.12+git.1568024032.02236657ca-2.39.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.