From: Ilya Dryomov <idryomov@gmail.com>
Date: Wed, 10 Aug 2022 09:09:55 +0000 (+0200)
Subject: doc/releases/octopus.rst: add note for CVE-2022-0670
X-Git-Tag: v18.0.0~303^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=3d18110c2bbd90e5cd99b0d683fc1727e4a766a7;p=ceph.git

doc/releases/octopus.rst: add note for CVE-2022-0670

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
---

diff --git a/doc/releases/octopus.rst b/doc/releases/octopus.rst
index 802a6e8d3001..eb2e7d7794e8 100644
--- a/doc/releases/octopus.rst
+++ b/doc/releases/octopus.rst
@@ -30,6 +30,24 @@ Notable Changes
   or positional arguments is resurrected.  Such invocations accidentally became
   limited to just the default pool (``rbd_default_pool``) in v15.2.14.
 
+* Users who were running OpenStack Manila to export native CephFS, who
+  upgraded their Ceph cluster from Nautilus (or earlier) to a later
+  major version, were vulnerable to an attack by malicious users
+  (:ref:`CVE-2022-0670`). The vulnerability allowed users to obtain
+  access to arbitrary portions of the CephFS filesystem hierarchy,
+  instead of being properly restricted to their own subvolumes. The
+  vulnerability is due to a bug in the "volumes" plugin in Ceph Manager.
+  This plugin is responsible for managing Ceph File System subvolumes
+  which are used by OpenStack Manila services as a way to provide shares
+  to Manila users.
+
+  With this release, the vulnerability is fixed. Administrators who are
+  concerned they may have been impacted should audit the CephX keys in
+  their cluster for proper path restrictions.
+
+  Again, this vulnerability only impacts OpenStack Manila clusters which
+  provided native CephFS access to their users.
+
 Changelog
 ---------------
 
diff --git a/doc/security/CVE-2022-0670.rst b/doc/security/CVE-2022-0670.rst
index 557707fecea2..54ebb7f907cb 100644
--- a/doc/security/CVE-2022-0670.rst
+++ b/doc/security/CVE-2022-0670.rst
@@ -30,7 +30,7 @@ Fixed versions
 
 * Quincy v17.2.2 (and later)
 * Pacific v16.2.10 (and later)
-* Octopus fix is forthcoming
+* Octopus v15.2.17
 
 Recommendations
 ---------------