CVE Vulnerabilities

CVE-2018-16889

Insertion of Sensitive Information into Log File

Published: Jan 28, 2019 | Modified: Nov 21, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
5.5 MODERATE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Ubuntu
LOW

Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable.

Weakness

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Affected Software

Name Vendor Start Version End Version
Ceph Redhat * 13.2.4 (including)
Red Hat Ceph Storage 3.3 RedHat ceph-2:12.2.12-45.el7cp *
Red Hat Ceph Storage 3.3 RedHat ceph-ansible-0:3.2.24-1.el7cp *
Red Hat Ceph Storage 3.3 RedHat ceph-iscsi-config-0:2.6-19.el7cp *
Red Hat Ceph Storage 3.3 RedHat cephmetrics-0:2.0.6-1.el7cp *
Red Hat Ceph Storage 3.3 RedHat libntirpc-0:1.7.4-1.el7cp *
Red Hat Ceph Storage 3.3 RedHat nfs-ganesha-0:2.7.4-10.el7cp *
Red Hat Ceph Storage 3.3 RedHat python-crypto-0:2.6.1-16.el7ost *
Red Hat Ceph Storage 3 for Ubuntu RedHat *
Ceph Ubuntu bionic *
Ceph Ubuntu cosmic *
Ceph Ubuntu devel *
Ceph Ubuntu disco *
Ceph Ubuntu xenial *

Extended Description

While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Different log files may be produced and stored for:

Potential Mitigations

References