CVE-2018-1128

Priority
Description
It was found that cephx authentication protocol did not verify ceph clients
correctly and was vulnerable to replay attack. Any attacker having access
to ceph cluster network who is able to sniff packets on network can use
this vulnerability to authenticate with ceph service and perform actions
allowed by ceph service. Ceph branches master, mimic, luminous and jewel
are believed to be vulnerable.
Notes
Package
Source: ceph (LP Ubuntu Debian)
Upstream:released (10.2.11,12.2.6)
Ubuntu 12.04 ESM (Precise Pangolin):needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (10.2.11-0ubuntu0.16.04.1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (12.2.7-0ubuntu0.18.04.1)
Ubuntu 19.10 (Eoan Ermine):not-affected (13.2.4+dfsg1-0ubuntu1)
Ubuntu 20.04 (Focal Fossa):not-affected (13.2.4+dfsg1-0ubuntu1)
Patches:
Upstream:https://github.com/ceph/ceph/commit/5ead97120e07054d80623dada90a5cc764c28468
Upstream:https://github.com/ceph/ceph/commit/4cbd72f11ecda4c28d1bf47328a4f8672295870a (mimic)
Upstream:https://github.com/ceph/ceph/commit/26816cd80ae245d351d5ce34d8af434fbc798602 (jewel)
More Information

Updated: 2020-04-24 03:46:29 UTC (commit d3f8a6ed481830fb100109a132bef581fc4176fe)