First published: Fri Jan 11 2019(Updated: )
Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Upstream Patch: <a href="https://github.com/ceph/ceph/pull/25881/commits">https://github.com/ceph/ceph/pull/25881/commits</a> Upstream Bug: <a href="http://tracker.ceph.com/issues/37847">http://tracker.ceph.com/issues/37847</a>
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Redhat Ceph | <=13.2.4 | |
debian/ceph | 14.2.21-1 16.2.11+ds-2 16.2.15+ds-0+deb12u1 18.2.4+ds-11 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-16889 is a vulnerability in Ceph that allows encryption key information to be leaked via plaintext in log files.
CVE-2018-16889 has a severity score of 7.5, which is considered high.
Versions up to v13.2.4 of Ceph are vulnerable to CVE-2018-16889.
To fix CVE-2018-16889, you should update Ceph to a version that includes the necessary security patches.
You can find more information about CVE-2018-16889 on the SecurityFocus and Red Hat websites.