Project

General

Profile

Bug #24836

auth: cephx authorizer subject to replay

Added by Sage Weil 5 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
07/09/2018
Due date:
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(RADOS):
Pull request ID:

Description

The cephx authorizer does not have any challenge or nonce, and thus (if sniffed) can be reused by another session.

Fixes are in place:
master: 5ead97120e07054d80623dada90a5cc764c28468
mimic: 4cbd72f11ecda4c28d1bf47328a4f8672295870a
luminous: 5ead97120e07054d80623dada90a5cc764c28468
jewel: 26816cd80ae245d351d5ce34d8af434fbc798602

CVE-2018-1128

History

#1 Updated by Sage Weil 5 months ago

  • Project changed from Ceph to RADOS

Also available in: Atom PDF