Bug 1178905 – VUL-1: CVE-2020-25678: ceph: ceph-dashboard: mgr modules' passwords are in clear text in mgr logs

Bug 1178905 - (CVE-2020-25678) VUL-1: CVE-2020-25678: ceph: ceph-dashboard: mgr modules' passwords are in clear text in mgr logs

(CVE-2020-25678)
Summary:	VUL-1: CVE-2020-25678: ceph: ceph-dashboard: mgr modules' passwords are in cl...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Minor
Target Milestone:	---
Assigned To:	E-Mail List
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/271856/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-11-17 16:27 UTC by Marcus Meissner
Modified:	2021-11-23 18:41 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 2 Sebastian Wagner 2020-11-25 13:06:17 UTC

upstream tracker: https://tracker.ceph.com/issues/37503

Comment 3 Nathan Cutler 2020-11-25 14:13:51 UTC

> We have assigned it CVE-2020-25678 at Red Hat, and currently have it
> under embargo, but plan on lifting it on Monday, Nov. 23rd since it is
> public already.

Wait! It's public already *and* it's under embargo? What's the point of that?

This issue has been around for years, and it's been public the whole time. 

It has obviously not been a high priority in the past, so why is it suddenly high priority now?

Comment 4 Nathan Cutler 2020-11-25 14:15:40 UTC

In short, I think we can safely sit back and wait for Red Hat to fix it, since it looks like they are now sufficiently motivated to do so.

Comment 5 Marcus Meissner 2020-11-25 14:56:05 UTC

i remove the embargoed tag, but will keep the bug still closed to suse employees for now.

Comment 6 Sebastian Wagner 2020-11-25 15:11:52 UTC

upstream takes care of this right now. I agree I think we can lean back here.

Comment 7 Tatjana Dehler 2020-11-26 14:29:22 UTC

There is an open draft PR for the dashboard upstream: https://github.com/ceph/ceph/pull/38284

Comment 10 Swamp Workflow Management 2021-04-08 13:18:29 UTC

SUSE-SU-2021:1108-1: An update that solves two vulnerabilities and has 12 fixes is now available.

Category: security (moderate)
Bug References: 1172926,1176390,1176489,1176679,1176828,1177360,1177857,1178837,1178860,1178905,1178932,1179569,1179997,1182766
CVE References: CVE-2020-25678,CVE-2020-27839
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    ceph-15.2.9.83+g4275378de0-3.17.1
SUSE Enterprise Storage 7 (src):    ceph-15.2.9.83+g4275378de0-3.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2021-04-12 07:16:23 UTC

openSUSE-SU-2021:0544-1: An update that solves two vulnerabilities and has 12 fixes is now available.

Category: security (moderate)
Bug References: 1172926,1176390,1176489,1176679,1176828,1177360,1177857,1178837,1178860,1178905,1178932,1179569,1179997,1182766
CVE References: CVE-2020-25678,CVE-2020-27839
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    ceph-15.2.9.83+g4275378de0-lp152.2.12.1, ceph-test-15.2.9.83+g4275378de0-lp152.2.12.1

Comment 13 Swamp Workflow Management 2021-05-04 10:17:34 UTC

SUSE-SU-2021:1473-1: An update that solves three vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 1145463,1174466,1177200,1178235,1178837,1178860,1178905,1179997,1180118,1180594,1181378,1183074,1183487
CVE References: CVE-2020-25678,CVE-2020-27839,CVE-2021-20288
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    ceph-14.2.20.402+g6aa76c6815-3.60.1
SUSE Manager Retail Branch Server 4.0 (src):    ceph-14.2.20.402+g6aa76c6815-3.60.1
SUSE Manager Proxy 4.0 (src):    ceph-14.2.20.402+g6aa76c6815-3.60.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    ceph-14.2.20.402+g6aa76c6815-3.60.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    ceph-14.2.20.402+g6aa76c6815-3.60.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    ceph-14.2.20.402+g6aa76c6815-3.60.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    ceph-14.2.20.402+g6aa76c6815-3.60.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    ceph-14.2.20.402+g6aa76c6815-3.60.1
SUSE Enterprise Storage 6 (src):    ceph-14.2.20.402+g6aa76c6815-3.60.1
SUSE CaaS Platform 4.0 (src):    ceph-14.2.20.402+g6aa76c6815-3.60.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2021-05-04 10:26:06 UTC

SUSE-SU-2021:1472-1: An update that solves three vulnerabilities and has 16 fixes is now available.

Category: security (important)
Bug References: 1145463,1174466,1177200,1178016,1178216,1178235,1178657,1178837,1178860,1178905,1179997,1180118,1180594,1181183,1181378,1181665,1183074,1183487,1183600
CVE References: CVE-2020-25678,CVE-2020-27839,CVE-2021-20288
JIRA References: 
Sources used:
SUSE Enterprise Storage 6 (src):    deepsea-0.9.35+git.0.5a1dc9fe-3.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Marcus Meissner 2021-09-13 11:13:24 UTC

done