doc: CVE-2022-0670

author David Galloway <dgallowa@redhat.com>

Thu, 21 Jul 2022 16:11:11 +0000 (12:11 -0400)

committer David Galloway <dgallowa@redhat.com>

Thu, 21 Jul 2022 16:13:09 +0000 (12:13 -0400)
author David Galloway <dgallowa@redhat.com>
Thu, 21 Jul 2022 16:11:11 +0000 (12:11 -0400)
committer David Galloway <dgallowa@redhat.com>
Thu, 21 Jul 2022 16:13:09 +0000 (12:13 -0400)
diff --git a/doc/security/CVE-2022-0670.rst b/doc/security/CVE-2022-0670.rst

new file mode 100644 (file)

index 0000000..557707f
--- /dev/null
+++ b/doc/security/CVE-2022-0670.rst
@@ -0,0 +1,43 @@
+.. _CVE-2022-0670:
+
+CVE-2022-0670: Native-CephFS Manila Path-restriction bypass
+===========================================================
+
+Summary
+-------
+
+Users who were running OpenStack Manila to export native CephFS, who
+upgraded their Ceph cluster from Nautilus (or earlier) to a later
+major version, were vulnerable to an attack by malicious users. The
+vulnerability allowed users to obtain access to arbitrary portions of
+the CephFS filesystem hierarchy, instead of being properly restricted
+to their own subvolumes. The vulnerability is due to a bug in the
+"volumes" plugin in Ceph Manager. This plugin is responsible for
+managing Ceph File System subvolumes which are used by OpenStack
+Manila services as a way to provide shares to Manila users.
+
+Again, this vulnerability only impacts OpenStack Manila clusters which
+provided native CephFS access to their users.
+
+Affected versions
+-----------------
+
+Any version of Ceph running OpenStack Manila that was upgraded from Nautilus
+or earlier.
+
+Fixed versions
+--------------
+
+* Quincy v17.2.2 (and later)
+* Pacific v16.2.10 (and later)
+* Octopus fix is forthcoming
+
+Recommendations
+---------------
+
+#. Users should upgrade to a patched version of Ceph at their earliest
+   convenience.
+
+#. Administrators who are
+   concerned they may have been impacted should audit the CephX keys in
+   their cluster for proper path restrictions.
diff --git a/doc/security/cves.rst b/doc/security/cves.rst

index 223b61634fd498a564c7b7a899e926c0cec8657d..8bbccbf64d6ea4a04dd4a60470100029df6eadad 100644 (file)
--- a/doc/security/cves.rst
+++ b/doc/security/cves.rst
@@ -2,81 +2,85 @@
  Past vulnerabilities
  ====================
  
-+------------+-------------------+-------------+--------------------------------------------+
-| Published  | CVE               | Severity    | Summary                                    |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2021-05-13 | `CVE-2021-3531`_  | Medium      | Swift API denial of service                |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2021-05-13 | `CVE-2021-3524`_  | Medium      | HTTP header injects via CORS in RGW        |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2021-05-13 | `CVE-2021-3509`_  | High        | Dashboard XSS via token cookie             |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2021-04-14 | `CVE-2021-20288`_ | High        | Unauthorized global_id reuse in cephx      |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2020-12-18 | `CVE-2020-27781`_ | 7.1 High    | CephFS creds read/modified by Manila users |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2021-01-08 | `CVE-2020-25678`_ | 4.9 Medium  | mgr module passwords in clear text         |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2020-12-07 | `CVE-2020-25677`_ | 5.5 Medium  | ceph-ansible iscsi-gateway.conf perm       |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2020-11-23 | `CVE-2020-25660`_ | 8.8 High    | Cephx replay vulnerability                 |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2020-04-22 | `CVE-2020-12059`_ | 7.5 High    | malformed POST could crash RGW             |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2020-06-26 | `CVE-2020-10753`_ | 6.5 Medium  | HTTP header injects via CORS in RGW        |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2020-06-22 | `CVE-2020-10736`_ | 8.0 High    | authorization bypass in mon and mgr        |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2020-04-23 | `CVE-2020-1760`_  | 6.1 Medium  | potential RGW XSS attack                   |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2020-04-13 | `CVE-2020-1759`_  | 6.8 Medium  | Cephx nonce reuse in secure mode           |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2020-02-07 | `CVE-2020-1700`_  | 6.5 Medium  | RGW disconnects leak sockets, can DoS      |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2020-04-21 | `CVE-2020-1699`_  | 7.5 High    | Dashboard path traversal flaw              |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2019-12-23 | `CVE-2019-19337`_ | 6.5 Medium  | RGW DoS via malformed headers              |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2019-11-08 | `CVE-2019-10222`_ | 7.5 High    | Invalid HTTP headers could crash RGW       |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2019-03-27 | `CVE-2019-3821`_  | 7.5 High    | RGW file descriptors could be exhausted    |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2019-01-28 | `CVE-2018-16889`_ | 7.5 High    | encryption keys logged in plaintext        |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2019-01-15 | `CVE-2018-16846`_ | 6.5 Medium  | authenticated RGW users can cause DoS      |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2019-01-15 | `CVE-2018-14662`_ | 5.7 Medium  | read-only users could steal dm-crypt keys  |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2018-07-10 | `CVE-2018-10861`_ | 8.1 High    | authenticated user can create/delete pools |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2018-03-19 | `CVE-2018-7262`_  | 7.5 High    | malformed headers can cause RGW DoS        |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2018-07-10 | `CVE-2018-1129`_  | 6.5 Medium  | network MITM can tamper with messages      |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2018-07-10 | `CVE-2018-1128`_  | 7.5 High    | Cephx replay vulnerability                 |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2018-07-27 | `CVE-2017-7519`_  | 4.4 Medium  | libradosstriper unvalidated format string  |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2018-08-01 | `CVE-2016-9579`_  | 7.6 High    | potential RGW XSS attack                   |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2018-07-31 | `CVE-2016-8626`_  | 6.5 Medium  | malformed POST can DoS RGW                 |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2016-10-03 | `CVE-2016-7031`_  | 7.5 High    | RGW unauthorized bucket listing            |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2016-07-12 | `CVE-2016-5009`_  | 6.5 Medium  | mon command handler DoS                    |
-+------------+-------------------+-------------+--------------------------------------------+
-| 2016-12-03 | `CVE-2015-5245`_  |             | RGW header injection                       |
-+------------+-------------------+-------------+--------------------------------------------+
++------------+-------------------+-------------+---------------------------------------------+
+| Published  | CVE               | Severity    | Summary                                     |
++------------+-------------------+-------------+---------------------------------------------+
+| 2022-07-21 | `CVE-2022-0670`_  | Medium      | Native-CephFS Manila Path-restriction bypass|
++------------+-------------------+-------------+---------------------------------------------+
+| 2021-05-13 | `CVE-2021-3531`_  | Medium      | Swift API denial of service                 |
++------------+-------------------+-------------+---------------------------------------------+
+| 2021-05-13 | `CVE-2021-3524`_  | Medium      | HTTP header injects via CORS in RGW         |
++------------+-------------------+-------------+---------------------------------------------+
+| 2021-05-13 | `CVE-2021-3509`_  | High        | Dashboard XSS via token cookie              |
++------------+-------------------+-------------+---------------------------------------------+
+| 2021-04-14 | `CVE-2021-20288`_ | High        | Unauthorized global_id reuse in cephx       |
++------------+-------------------+-------------+---------------------------------------------+
+| 2020-12-18 | `CVE-2020-27781`_ | 7.1 High    | CephFS creds read/modified by Manila users  |
++------------+-------------------+-------------+---------------------------------------------+
+| 2021-01-08 | `CVE-2020-25678`_ | 4.9 Medium  | mgr module passwords in clear text          |
++------------+-------------------+-------------+---------------------------------------------+
+| 2020-12-07 | `CVE-2020-25677`_ | 5.5 Medium  | ceph-ansible iscsi-gateway.conf perm        |
++------------+-------------------+-------------+---------------------------------------------+
+| 2020-11-23 | `CVE-2020-25660`_ | 8.8 High    | Cephx replay vulnerability                  |
++------------+-------------------+-------------+---------------------------------------------+
+| 2020-04-22 | `CVE-2020-12059`_ | 7.5 High    | malformed POST could crash RGW              |
++------------+-------------------+-------------+---------------------------------------------+
+| 2020-06-26 | `CVE-2020-10753`_ | 6.5 Medium  | HTTP header injects via CORS in RGW         |
++------------+-------------------+-------------+---------------------------------------------+
+| 2020-06-22 | `CVE-2020-10736`_ | 8.0 High    | authorization bypass in mon and mgr         |
++------------+-------------------+-------------+---------------------------------------------+
+| 2020-04-23 | `CVE-2020-1760`_  | 6.1 Medium  | potential RGW XSS attack                    |
++------------+-------------------+-------------+---------------------------------------------+
+| 2020-04-13 | `CVE-2020-1759`_  | 6.8 Medium  | Cephx nonce reuse in secure mode            |
++------------+-------------------+-------------+---------------------------------------------+
+| 2020-02-07 | `CVE-2020-1700`_  | 6.5 Medium  | RGW disconnects leak sockets, can DoS       |
++------------+-------------------+-------------+---------------------------------------------+
+| 2020-04-21 | `CVE-2020-1699`_  | 7.5 High    | Dashboard path traversal flaw               |
++------------+-------------------+-------------+---------------------------------------------+
+| 2019-12-23 | `CVE-2019-19337`_ | 6.5 Medium  | RGW DoS via malformed headers               |
++------------+-------------------+-------------+---------------------------------------------+
+| 2019-11-08 | `CVE-2019-10222`_ | 7.5 High    | Invalid HTTP headers could crash RGW        |
++------------+-------------------+-------------+---------------------------------------------+
+| 2019-03-27 | `CVE-2019-3821`_  | 7.5 High    | RGW file descriptors could be exhausted     |
++------------+-------------------+-------------+---------------------------------------------+
+| 2019-01-28 | `CVE-2018-16889`_ | 7.5 High    | encryption keys logged in plaintext         |
++------------+-------------------+-------------+---------------------------------------------+
+| 2019-01-15 | `CVE-2018-16846`_ | 6.5 Medium  | authenticated RGW users can cause DoS       |
++------------+-------------------+-------------+---------------------------------------------+
+| 2019-01-15 | `CVE-2018-14662`_ | 5.7 Medium  | read-only users could steal dm-crypt keys   |
++------------+-------------------+-------------+---------------------------------------------+
+| 2018-07-10 | `CVE-2018-10861`_ | 8.1 High    | authenticated user can create/delete pools  |
++------------+-------------------+-------------+---------------------------------------------+
+| 2018-03-19 | `CVE-2018-7262`_  | 7.5 High    | malformed headers can cause RGW DoS         |
++------------+-------------------+-------------+---------------------------------------------+
+| 2018-07-10 | `CVE-2018-1129`_  | 6.5 Medium  | network MITM can tamper with messages       |
++------------+-------------------+-------------+---------------------------------------------+
+| 2018-07-10 | `CVE-2018-1128`_  | 7.5 High    | Cephx replay vulnerability                  |
++------------+-------------------+-------------+---------------------------------------------+
+| 2018-07-27 | `CVE-2017-7519`_  | 4.4 Medium  | libradosstriper unvalidated format string   |
++------------+-------------------+-------------+---------------------------------------------+
+| 2018-08-01 | `CVE-2016-9579`_  | 7.6 High    | potential RGW XSS attack                    |
++------------+-------------------+-------------+---------------------------------------------+
+| 2018-07-31 | `CVE-2016-8626`_  | 6.5 Medium  | malformed POST can DoS RGW                  |
++------------+-------------------+-------------+---------------------------------------------+
+| 2016-10-03 | `CVE-2016-7031`_  | 7.5 High    | RGW unauthorized bucket listing             |
++------------+-------------------+-------------+---------------------------------------------+
+| 2016-07-12 | `CVE-2016-5009`_  | 6.5 Medium  | mon command handler DoS                     |
++------------+-------------------+-------------+---------------------------------------------+
+| 2016-12-03 | `CVE-2015-5245`_  |             | RGW header injection                        |
++------------+-------------------+-------------+---------------------------------------------+
  
  .. toctree::
     :hidden:
     :maxdepth: 0
  
+    CVE-2022-0670 <CVE-2022-0670.rst>
      CVE-2021-3531 <CVE-2021-3531.rst>
      CVE-2021-3524 <CVE-2021-3524.rst>
      CVE-2021-3509 <CVE-2021-3509.rst>
      CVE-2021-20288 <CVE-2021-20288.rst>
  
+.. _CVE-2022-0670: ../CVE-2022-0670
  .. _CVE-2021-3531: ../CVE-2021-3531
  .. _CVE-2021-3524: ../CVE-2021-3524
  .. _CVE-2021-3509: ../CVE-2021-3509
author	David Galloway <dgallowa@redhat.com>
	Thu, 21 Jul 2022 16:11:11 +0000 (12:11 -0400)
committer	David Galloway <dgallowa@redhat.com>
	Thu, 21 Jul 2022 16:13:09 +0000 (12:13 -0400)
doc/security/CVE-2022-0670.rst	[new file with mode: 0644]	patch \| blob
doc/security/cves.rst		patch \| blob \| history