Bug 1121567 - (CVE-2018-16889) VUL-0: CVE-2018-16889: ceph: properly sanitize encryption keys in debug logging for v4 auth
(CVE-2018-16889)
VUL-0: CVE-2018-16889: ceph: properly sanitize encryption keys in debug loggi...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Nathan Cutler
Security Team bot
https://smash.suse.de/issue/222597/
CVSSv3:SUSE:CVE-2018-16889:5.5:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-01-11 09:31 UTC by Alexander Bergmann
Modified: 2021-07-19 10:43 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-01-11 09:31:06 UTC
rh#1665334

Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext.

Upstream Bug:
http://tracker.ceph.com/issues/37847
https://github.com/ceph/ceph/pull/25881/

Upstream Patch:
https://github.com/ceph/ceph/pull/25881/commits/ba55e2a96c9dfcc7aa2311431beaaa23cb05c30d

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1665334
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16889
Comment 1 Swamp Workflow Management 2019-02-26 20:10:15 UTC
SUSE-SU-2019:0499-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1111177,1113246,1114710,1121567
CVE References: CVE-2018-14662,CVE-2018-16846,CVE-2018-16889
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Server 12-SP4 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Server 12-SP3 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE Enterprise Storage 5 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE CaaS Platform ALL (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
SUSE CaaS Platform 3.0 (src):    ceph-12.2.10+git.1549630712.bb089269ea-2.27.2
Comment 2 Swamp Workflow Management 2019-03-08 14:16:37 UTC
openSUSE-SU-2019:0306-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1111177,1113246,1114710,1121567
CVE References: CVE-2018-14662,CVE-2018-16846,CVE-2018-16889
Sources used:
openSUSE Leap 42.3 (src):    ceph-12.2.10+git.1549630712.bb089269ea-21.1, ceph-test-12.2.10+git.1549630712.bb089269ea-21.1
Comment 3 Nathan Cutler 2019-05-22 10:06:04 UTC
This is fixed in both SES5 and SES6:

* SES5: f8f30fc3718d723d58633db4b0ca838c5fa32a12
* SES6: 000797941fd303c3adc24f0089aeee0e902da205

The bsc# and CVE are mentioned in both changes files.

I'll leave the bug open, though, to track the fix for SES4.
Comment 10 Swamp Workflow Management 2019-08-05 19:14:05 UTC
SUSE-SU-2019:2049-1: An update that solves two vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1121567,1123360,1124957,1125080,1125899,1131984,1132396,1133139,1133461,1135030,1135219,1135221,1135388,1136110
CVE References: CVE-2018-16889,CVE-2019-3821
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ceph-14.2.1.468+g994fd9e0cc-3.3.2, ceph-test-14.2.1.468+g994fd9e0cc-3.3.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ceph-14.2.1.468+g994fd9e0cc-3.3.2
SUSE Enterprise Storage 6 (src):    ceph-14.2.1.468+g994fd9e0cc-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Nathan Cutler 2019-08-15 13:37:49 UTC
Fixed in SES6 and SES5. Not applicable to SES4.
Comment 13 Swamp Workflow Management 2019-09-12 13:12:07 UTC
SUSE-SU-2019:2364-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1121567,1149961
CVE References: CVE-2018-16889
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ceph-12.2.12+git.1568024032.02236657ca-2.39.1
SUSE Linux Enterprise Server 12-SP4 (src):    ceph-12.2.12+git.1568024032.02236657ca-2.39.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ceph-12.2.12+git.1568024032.02236657ca-2.39.1
SUSE Enterprise Storage 5 (src):    ceph-12.2.12+git.1568024032.02236657ca-2.39.1
SUSE CaaS Platform 3.0 (src):    ceph-12.2.12+git.1568024032.02236657ca-2.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.