A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.
Weakness
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ceph | Redhat | * | 16.2.0 (excluding) |
| Ceph_storage | Redhat | 4.0 (including) | 4.0 (including) |
| Red Hat Ceph Storage 4.2 | RedHat | ceph-2:14.2.11-147.el7cp | * |
| Red Hat Ceph Storage 4.2 | RedHat | ceph-ansible-0:4.0.49.2-1.el7cp | * |
| Red Hat Ceph Storage 4.2 | RedHat | gperftools-0:2.6.3-3.el8cp | * |
| Red Hat Ceph Storage 4.2 | RedHat | tcmu-runner-0:1.5.2-3.el8cp | * |
| Ceph | Ubuntu | devel | * |
| Ceph | Ubuntu | esm-infra/focal | * |
| Ceph | Ubuntu | focal | * |
| Ceph | Ubuntu | groovy | * |
| Ceph | Ubuntu | hirsute | * |
| Ceph | Ubuntu | impish | * |
| Ceph | Ubuntu | jammy | * |
| Ceph | Ubuntu | precise/esm | * |
| Ceph | Ubuntu | trusty | * |
| Ceph | Ubuntu | upstream | * |
| Ceph | Ubuntu | xenial | * |
Potential Mitigations
Related Attack Patterns
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1892109
- https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/
- https://security.gentoo.org/glsa/202105-39
- https://tracker.ceph.com/issues/37503
- https://bugzilla.redhat.com/show_bug.cgi?id=1892109
- https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/
- https://security.gentoo.org/glsa/202105-39
- https://tracker.ceph.com/issues/37503