From 3d18110c2bbd90e5cd99b0d683fc1727e4a766a7 Mon Sep 17 00:00:00 2001 From: Ilya Dryomov Date: Wed, 10 Aug 2022 11:09:55 +0200 Subject: [PATCH] doc/releases/octopus.rst: add note for CVE-2022-0670 Signed-off-by: Ilya Dryomov --- doc/releases/octopus.rst | 18 ++++++++++++++++++ doc/security/CVE-2022-0670.rst | 2 +- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/doc/releases/octopus.rst b/doc/releases/octopus.rst index 802a6e8d3001..eb2e7d7794e8 100644 --- a/doc/releases/octopus.rst +++ b/doc/releases/octopus.rst @@ -30,6 +30,24 @@ Notable Changes or positional arguments is resurrected. Such invocations accidentally became limited to just the default pool (``rbd_default_pool``) in v15.2.14. +* Users who were running OpenStack Manila to export native CephFS, who + upgraded their Ceph cluster from Nautilus (or earlier) to a later + major version, were vulnerable to an attack by malicious users + (:ref:`CVE-2022-0670`). The vulnerability allowed users to obtain + access to arbitrary portions of the CephFS filesystem hierarchy, + instead of being properly restricted to their own subvolumes. The + vulnerability is due to a bug in the "volumes" plugin in Ceph Manager. + This plugin is responsible for managing Ceph File System subvolumes + which are used by OpenStack Manila services as a way to provide shares + to Manila users. + + With this release, the vulnerability is fixed. Administrators who are + concerned they may have been impacted should audit the CephX keys in + their cluster for proper path restrictions. + + Again, this vulnerability only impacts OpenStack Manila clusters which + provided native CephFS access to their users. + Changelog --------------- diff --git a/doc/security/CVE-2022-0670.rst b/doc/security/CVE-2022-0670.rst index 557707fecea2..54ebb7f907cb 100644 --- a/doc/security/CVE-2022-0670.rst +++ b/doc/security/CVE-2022-0670.rst @@ -30,7 +30,7 @@ Fixed versions * Quincy v17.2.2 (and later) * Pacific v16.2.10 (and later) -* Octopus fix is forthcoming +* Octopus v15.2.17 Recommendations --------------- -- 2.47.3