CVE-2018-16889
Published: 28 January 2019
Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable.
Notes
| Author | Note |
|---|---|
| mdeslaur | In Xenial, there are many more instances of information being logged. We will not be fixing this issue in Xenial. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
ceph Launchpad, Ubuntu, Debian |
bionic |
Released
(12.2.11-0ubuntu0.18.04.1)
|
| cosmic |
Released
(13.2.4+dfsg1-0ubuntu0.18.10.2)
|
|
| disco |
Released
(13.2.4+dfsg1-0ubuntu2.1)
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(10.2.11-0ubuntu0.16.04.2)
|
|
|
Patches: upstream: https://github.com/ceph/ceph/commit/ba55e2a96c9dfcc7aa2311431beaaa23cb05c30d |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |