It was found Ceph versions before 13.2.4 that authenticated ceph users with read only permissions could steal dm-crypt encryption keys used in ceph disk encryption.
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Ceph | Redhat | * | 13.2.4 (excluding) |
Red Hat Ceph Storage 3.3 | RedHat | ceph-2:12.2.12-45.el7cp | * |
Red Hat Ceph Storage 3.3 | RedHat | ceph-ansible-0:3.2.24-1.el7cp | * |
Red Hat Ceph Storage 3.3 | RedHat | ceph-iscsi-config-0:2.6-19.el7cp | * |
Red Hat Ceph Storage 3.3 | RedHat | cephmetrics-0:2.0.6-1.el7cp | * |
Red Hat Ceph Storage 3.3 | RedHat | libntirpc-0:1.7.4-1.el7cp | * |
Red Hat Ceph Storage 3.3 | RedHat | nfs-ganesha-0:2.7.4-10.el7cp | * |
Red Hat Ceph Storage 3.3 | RedHat | python-crypto-0:2.6.1-16.el7ost | * |
Red Hat Ceph Storage 3 for Ubuntu | RedHat | * | |
Ceph | Ubuntu | bionic | * |
Ceph | Ubuntu | esm-infra-legacy/trusty | * |
Ceph | Ubuntu | precise/esm | * |
Ceph | Ubuntu | trusty | * |
Ceph | Ubuntu | trusty/esm | * |
Ceph | Ubuntu | upstream | * |
Ceph | Ubuntu | xenial | * |
Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user’s privileges and any permissions or other access-control specifications that apply to the resource. When access control checks are not applied consistently - or not at all - users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.