Description
A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable.
References (11)
Core 11
Core References
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2261
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2177
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1576057
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2179
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2274
Issue Tracking, Vendor Advisory x_refsource_confirm
http://tracker.ceph.com/issues/24837
Patch, Third Party Advisory x_refsource_confirm
https://github.com/ceph/ceph/commit/8f396cf35a3826044b089141667a196454c0a587
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2018/dsa-4339
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html
Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00100.html
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/154245/Kernel-Live-Patch-Security-Notice-LSN-0054-1.html
Scores
CVSS v3
6.5
EPSS
0.0035
EPSS Percentile
57.4%
Attack Vector
ADJACENT_NETWORK
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-284
CWE-287
Status
published
Products (35)
ceph/ceph
10.2.0
ceph/ceph
10.2.1
ceph/ceph
10.2.2
ceph/ceph
10.2.3
ceph/ceph
10.2.4
ceph/ceph
10.2.5
ceph/ceph
10.2.6
ceph/ceph
10.2.7
ceph/ceph
10.2.8
ceph/ceph
10.2.9
... and 25 more
Published
Jul 10, 2018
Tracked Since
Feb 18, 2026