Vulnerability CVE-2018-16889: Information

Description

Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable.

Severity: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2018-16889
Published: Jan. 28, 2019
Modified: Feb. 13, 2023
Error type identifier: CWE-532

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
cephsisyphus14.2.0-alt118.2.2-alt1ALT-PU-2019-1500-1225431Fixed
cephp1014.2.0-alt117.2.7-alt2ALT-PU-2019-1500-1225431Fixed
cephp914.2.0-alt114.2.22-alt1ALT-PU-2019-1500-1225431Fixed
cephp812.2.12-alt0.M80P.112.2.13-alt1ALT-PU-2019-1711-1227365Fixed
cephc10f114.2.0-alt117.2.6-alt2ALT-PU-2019-1500-1225431Fixed
cephc9f214.2.0-alt114.2.22-alt1ALT-PU-2019-1500-1225431Fixed
cephp1114.2.0-alt118.2.2-alt1ALT-PU-2019-1500-1225431Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16889
  • Exploit
  • Issue Tracking
  • Patch
  • Third Party Advisory
106528
  • Third Party Advisory
USN-4035-1
    RHSA-2019:2541
      RHSA-2019:2538

          1. Configuration 1

            cpe:2.3:a:redhat:ceph:*:*:*:*:*:*:*:*
            End including
            13.2.4
        VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
        Version: v24.5.3
        Back to top