First published: Fri Jan 11 2019(Updated: )
Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Redhat Ceph | <=13.2.4 | |
debian/ceph | 12.2.11+dfsg1-2.1 12.2.11+dfsg1-2.1+deb10u1 14.2.21-1 16.2.11+ds-2 16.2.11+ds-5 | |
ubuntu/ceph | <10.2.11-0ubuntu0.16.04.2 | 10.2.11-0ubuntu0.16.04.2 |
ubuntu/ceph | <12.2.11-0ubuntu0.18.04.1 | 12.2.11-0ubuntu0.18.04.1 |
ubuntu/ceph | <13.2.4+dfsg1-0ubuntu0.18.10.2 | 13.2.4+dfsg1-0ubuntu0.18.10.2 |
ubuntu/ceph | <13.2.4+dfsg1-0ubuntu2.1 | 13.2.4+dfsg1-0ubuntu2.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-16889 is a vulnerability in Ceph that allows encryption key information to be leaked via plaintext in log files.
CVE-2018-16889 has a severity score of 7.5, which is considered high.
Versions up to v13.2.4 of Ceph are vulnerable to CVE-2018-16889.
To fix CVE-2018-16889, you should update Ceph to a version that includes the necessary security patches.
You can find more information about CVE-2018-16889 on the SecurityFocus and Red Hat websites.