CVE-2018-16889

Description

Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable.

CVSS Metrics

• v3.0•MEDIUM•Score: 5.5CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
• v3.0•HIGH•Score: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.07%• Percentile: 21%

Techniques & Countermeasures

• CWE-20•Improper Input Validation

  The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

• CWE-200•Exposure of Sensitive Information to an Unauthorized Actor

  The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

• CWE-312•Cleartext Storage of Sensitive Information

  The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

• CWE-532•Insertion of Sensitive Information into Log File

  The product writes sensitive information to a log file.

Affected Systems

• redhat•ceph

  ≤ 13.2.4

• the ceph project•ceph

  ≤ v13.2.4

References (5)

• http://www.securityfocus.com/bid/106528
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16889
• https://usn.ubuntu.com/4035-1/
• https://access.redhat.com/errata/RHSA-2019:2538
• https://access.redhat.com/errata/RHSA-2019:2541