From 9ee1a62a16c9a011be7b601f9498db6b991724b6 Mon Sep 17 00:00:00 2001 From: David Galloway Date: Thu, 21 Jul 2022 12:11:11 -0400 Subject: [PATCH] doc: CVE-2022-0670 Signed-off-by: David Galloway --- doc/security/CVE-2022-0670.rst | 43 +++++++++++ doc/security/cves.rst | 134 +++++++++++++++++---------------- 2 files changed, 112 insertions(+), 65 deletions(-) create mode 100644 doc/security/CVE-2022-0670.rst diff --git a/doc/security/CVE-2022-0670.rst b/doc/security/CVE-2022-0670.rst new file mode 100644 index 00000000000..557707fecea --- /dev/null +++ b/doc/security/CVE-2022-0670.rst @@ -0,0 +1,43 @@ +.. _CVE-2022-0670: + +CVE-2022-0670: Native-CephFS Manila Path-restriction bypass +=========================================================== + +Summary +------- + +Users who were running OpenStack Manila to export native CephFS, who +upgraded their Ceph cluster from Nautilus (or earlier) to a later +major version, were vulnerable to an attack by malicious users. The +vulnerability allowed users to obtain access to arbitrary portions of +the CephFS filesystem hierarchy, instead of being properly restricted +to their own subvolumes. The vulnerability is due to a bug in the +"volumes" plugin in Ceph Manager. This plugin is responsible for +managing Ceph File System subvolumes which are used by OpenStack +Manila services as a way to provide shares to Manila users. + +Again, this vulnerability only impacts OpenStack Manila clusters which +provided native CephFS access to their users. + +Affected versions +----------------- + +Any version of Ceph running OpenStack Manila that was upgraded from Nautilus +or earlier. + +Fixed versions +-------------- + +* Quincy v17.2.2 (and later) +* Pacific v16.2.10 (and later) +* Octopus fix is forthcoming + +Recommendations +--------------- + +#. Users should upgrade to a patched version of Ceph at their earliest + convenience. + +#. Administrators who are + concerned they may have been impacted should audit the CephX keys in + their cluster for proper path restrictions. diff --git a/doc/security/cves.rst b/doc/security/cves.rst index 223b61634fd..8bbccbf64d6 100644 --- a/doc/security/cves.rst +++ b/doc/security/cves.rst @@ -2,81 +2,85 @@ Past vulnerabilities ==================== -+------------+-------------------+-------------+--------------------------------------------+ -| Published | CVE | Severity | Summary | -+------------+-------------------+-------------+--------------------------------------------+ -| 2021-05-13 | `CVE-2021-3531`_ | Medium | Swift API denial of service | -+------------+-------------------+-------------+--------------------------------------------+ -| 2021-05-13 | `CVE-2021-3524`_ | Medium | HTTP header injects via CORS in RGW | -+------------+-------------------+-------------+--------------------------------------------+ -| 2021-05-13 | `CVE-2021-3509`_ | High | Dashboard XSS via token cookie | -+------------+-------------------+-------------+--------------------------------------------+ -| 2021-04-14 | `CVE-2021-20288`_ | High | Unauthorized global_id reuse in cephx | -+------------+-------------------+-------------+--------------------------------------------+ -| 2020-12-18 | `CVE-2020-27781`_ | 7.1 High | CephFS creds read/modified by Manila users | -+------------+-------------------+-------------+--------------------------------------------+ -| 2021-01-08 | `CVE-2020-25678`_ | 4.9 Medium | mgr module passwords in clear text | -+------------+-------------------+-------------+--------------------------------------------+ -| 2020-12-07 | `CVE-2020-25677`_ | 5.5 Medium | ceph-ansible iscsi-gateway.conf perm | -+------------+-------------------+-------------+--------------------------------------------+ -| 2020-11-23 | `CVE-2020-25660`_ | 8.8 High | Cephx replay vulnerability | -+------------+-------------------+-------------+--------------------------------------------+ -| 2020-04-22 | `CVE-2020-12059`_ | 7.5 High | malformed POST could crash RGW | -+------------+-------------------+-------------+--------------------------------------------+ -| 2020-06-26 | `CVE-2020-10753`_ | 6.5 Medium | HTTP header injects via CORS in RGW | -+------------+-------------------+-------------+--------------------------------------------+ -| 2020-06-22 | `CVE-2020-10736`_ | 8.0 High | authorization bypass in mon and mgr | -+------------+-------------------+-------------+--------------------------------------------+ -| 2020-04-23 | `CVE-2020-1760`_ | 6.1 Medium | potential RGW XSS attack | -+------------+-------------------+-------------+--------------------------------------------+ -| 2020-04-13 | `CVE-2020-1759`_ | 6.8 Medium | Cephx nonce reuse in secure mode | -+------------+-------------------+-------------+--------------------------------------------+ -| 2020-02-07 | `CVE-2020-1700`_ | 6.5 Medium | RGW disconnects leak sockets, can DoS | -+------------+-------------------+-------------+--------------------------------------------+ -| 2020-04-21 | `CVE-2020-1699`_ | 7.5 High | Dashboard path traversal flaw | -+------------+-------------------+-------------+--------------------------------------------+ -| 2019-12-23 | `CVE-2019-19337`_ | 6.5 Medium | RGW DoS via malformed headers | -+------------+-------------------+-------------+--------------------------------------------+ -| 2019-11-08 | `CVE-2019-10222`_ | 7.5 High | Invalid HTTP headers could crash RGW | -+------------+-------------------+-------------+--------------------------------------------+ -| 2019-03-27 | `CVE-2019-3821`_ | 7.5 High | RGW file descriptors could be exhausted | -+------------+-------------------+-------------+--------------------------------------------+ -| 2019-01-28 | `CVE-2018-16889`_ | 7.5 High | encryption keys logged in plaintext | -+------------+-------------------+-------------+--------------------------------------------+ -| 2019-01-15 | `CVE-2018-16846`_ | 6.5 Medium | authenticated RGW users can cause DoS | -+------------+-------------------+-------------+--------------------------------------------+ -| 2019-01-15 | `CVE-2018-14662`_ | 5.7 Medium | read-only users could steal dm-crypt keys | -+------------+-------------------+-------------+--------------------------------------------+ -| 2018-07-10 | `CVE-2018-10861`_ | 8.1 High | authenticated user can create/delete pools | -+------------+-------------------+-------------+--------------------------------------------+ -| 2018-03-19 | `CVE-2018-7262`_ | 7.5 High | malformed headers can cause RGW DoS | -+------------+-------------------+-------------+--------------------------------------------+ -| 2018-07-10 | `CVE-2018-1129`_ | 6.5 Medium | network MITM can tamper with messages | -+------------+-------------------+-------------+--------------------------------------------+ -| 2018-07-10 | `CVE-2018-1128`_ | 7.5 High | Cephx replay vulnerability | -+------------+-------------------+-------------+--------------------------------------------+ -| 2018-07-27 | `CVE-2017-7519`_ | 4.4 Medium | libradosstriper unvalidated format string | -+------------+-------------------+-------------+--------------------------------------------+ -| 2018-08-01 | `CVE-2016-9579`_ | 7.6 High | potential RGW XSS attack | -+------------+-------------------+-------------+--------------------------------------------+ -| 2018-07-31 | `CVE-2016-8626`_ | 6.5 Medium | malformed POST can DoS RGW | -+------------+-------------------+-------------+--------------------------------------------+ -| 2016-10-03 | `CVE-2016-7031`_ | 7.5 High | RGW unauthorized bucket listing | -+------------+-------------------+-------------+--------------------------------------------+ -| 2016-07-12 | `CVE-2016-5009`_ | 6.5 Medium | mon command handler DoS | -+------------+-------------------+-------------+--------------------------------------------+ -| 2016-12-03 | `CVE-2015-5245`_ | | RGW header injection | -+------------+-------------------+-------------+--------------------------------------------+ ++------------+-------------------+-------------+---------------------------------------------+ +| Published | CVE | Severity | Summary | ++------------+-------------------+-------------+---------------------------------------------+ +| 2022-07-21 | `CVE-2022-0670`_ | Medium | Native-CephFS Manila Path-restriction bypass| ++------------+-------------------+-------------+---------------------------------------------+ +| 2021-05-13 | `CVE-2021-3531`_ | Medium | Swift API denial of service | ++------------+-------------------+-------------+---------------------------------------------+ +| 2021-05-13 | `CVE-2021-3524`_ | Medium | HTTP header injects via CORS in RGW | ++------------+-------------------+-------------+---------------------------------------------+ +| 2021-05-13 | `CVE-2021-3509`_ | High | Dashboard XSS via token cookie | ++------------+-------------------+-------------+---------------------------------------------+ +| 2021-04-14 | `CVE-2021-20288`_ | High | Unauthorized global_id reuse in cephx | ++------------+-------------------+-------------+---------------------------------------------+ +| 2020-12-18 | `CVE-2020-27781`_ | 7.1 High | CephFS creds read/modified by Manila users | ++------------+-------------------+-------------+---------------------------------------------+ +| 2021-01-08 | `CVE-2020-25678`_ | 4.9 Medium | mgr module passwords in clear text | ++------------+-------------------+-------------+---------------------------------------------+ +| 2020-12-07 | `CVE-2020-25677`_ | 5.5 Medium | ceph-ansible iscsi-gateway.conf perm | ++------------+-------------------+-------------+---------------------------------------------+ +| 2020-11-23 | `CVE-2020-25660`_ | 8.8 High | Cephx replay vulnerability | ++------------+-------------------+-------------+---------------------------------------------+ +| 2020-04-22 | `CVE-2020-12059`_ | 7.5 High | malformed POST could crash RGW | ++------------+-------------------+-------------+---------------------------------------------+ +| 2020-06-26 | `CVE-2020-10753`_ | 6.5 Medium | HTTP header injects via CORS in RGW | ++------------+-------------------+-------------+---------------------------------------------+ +| 2020-06-22 | `CVE-2020-10736`_ | 8.0 High | authorization bypass in mon and mgr | ++------------+-------------------+-------------+---------------------------------------------+ +| 2020-04-23 | `CVE-2020-1760`_ | 6.1 Medium | potential RGW XSS attack | ++------------+-------------------+-------------+---------------------------------------------+ +| 2020-04-13 | `CVE-2020-1759`_ | 6.8 Medium | Cephx nonce reuse in secure mode | ++------------+-------------------+-------------+---------------------------------------------+ +| 2020-02-07 | `CVE-2020-1700`_ | 6.5 Medium | RGW disconnects leak sockets, can DoS | ++------------+-------------------+-------------+---------------------------------------------+ +| 2020-04-21 | `CVE-2020-1699`_ | 7.5 High | Dashboard path traversal flaw | ++------------+-------------------+-------------+---------------------------------------------+ +| 2019-12-23 | `CVE-2019-19337`_ | 6.5 Medium | RGW DoS via malformed headers | ++------------+-------------------+-------------+---------------------------------------------+ +| 2019-11-08 | `CVE-2019-10222`_ | 7.5 High | Invalid HTTP headers could crash RGW | ++------------+-------------------+-------------+---------------------------------------------+ +| 2019-03-27 | `CVE-2019-3821`_ | 7.5 High | RGW file descriptors could be exhausted | ++------------+-------------------+-------------+---------------------------------------------+ +| 2019-01-28 | `CVE-2018-16889`_ | 7.5 High | encryption keys logged in plaintext | ++------------+-------------------+-------------+---------------------------------------------+ +| 2019-01-15 | `CVE-2018-16846`_ | 6.5 Medium | authenticated RGW users can cause DoS | ++------------+-------------------+-------------+---------------------------------------------+ +| 2019-01-15 | `CVE-2018-14662`_ | 5.7 Medium | read-only users could steal dm-crypt keys | ++------------+-------------------+-------------+---------------------------------------------+ +| 2018-07-10 | `CVE-2018-10861`_ | 8.1 High | authenticated user can create/delete pools | ++------------+-------------------+-------------+---------------------------------------------+ +| 2018-03-19 | `CVE-2018-7262`_ | 7.5 High | malformed headers can cause RGW DoS | ++------------+-------------------+-------------+---------------------------------------------+ +| 2018-07-10 | `CVE-2018-1129`_ | 6.5 Medium | network MITM can tamper with messages | ++------------+-------------------+-------------+---------------------------------------------+ +| 2018-07-10 | `CVE-2018-1128`_ | 7.5 High | Cephx replay vulnerability | ++------------+-------------------+-------------+---------------------------------------------+ +| 2018-07-27 | `CVE-2017-7519`_ | 4.4 Medium | libradosstriper unvalidated format string | ++------------+-------------------+-------------+---------------------------------------------+ +| 2018-08-01 | `CVE-2016-9579`_ | 7.6 High | potential RGW XSS attack | ++------------+-------------------+-------------+---------------------------------------------+ +| 2018-07-31 | `CVE-2016-8626`_ | 6.5 Medium | malformed POST can DoS RGW | ++------------+-------------------+-------------+---------------------------------------------+ +| 2016-10-03 | `CVE-2016-7031`_ | 7.5 High | RGW unauthorized bucket listing | ++------------+-------------------+-------------+---------------------------------------------+ +| 2016-07-12 | `CVE-2016-5009`_ | 6.5 Medium | mon command handler DoS | ++------------+-------------------+-------------+---------------------------------------------+ +| 2016-12-03 | `CVE-2015-5245`_ | | RGW header injection | ++------------+-------------------+-------------+---------------------------------------------+ .. toctree:: :hidden: :maxdepth: 0 + CVE-2022-0670 CVE-2021-3531 CVE-2021-3524 CVE-2021-3509 CVE-2021-20288 +.. _CVE-2022-0670: ../CVE-2022-0670 .. _CVE-2021-3531: ../CVE-2021-3531 .. _CVE-2021-3524: ../CVE-2021-3524 .. _CVE-2021-3509: ../CVE-2021-3509 -- 2.39.5