CVE-2018-1129

medium

Description

A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable.

References

https://www.debian.org/security/2018/dsa-4339

https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html

https://github.com/ceph/ceph/commit/8f396cf35a3826044b089141667a196454c0a587

https://bugzilla.redhat.com/show_bug.cgi?id=1576057

https://access.redhat.com/errata/RHSA-2018:2274

https://access.redhat.com/errata/RHSA-2018:2261

https://access.redhat.com/errata/RHSA-2018:2179

https://access.redhat.com/errata/RHSA-2018:2177

http://tracker.ceph.com/issues/24837

http://packetstormsecurity.com/files/154245/Kernel-Live-Patch-Security-Notice-LSN-0054-1.html

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00100.html

Details

Source: Mitre, NVD

Published: 2018-07-10

Updated: 2019-08-29

Risk Information

CVSS v2

Base Score: 3.3

Vector: CVSS2#AV:A/AC:L/Au:N/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Severity: Medium