Bug #43607
closedFeature #47765: mgr/dashboard: security improvements
mgr/dashboard: fix improper URL checking
0%
Description
From https://github.com/rook/rook/issues/4635
Only release 14.2.5 and above show this behaviour (including master) introduced in https://github.com/ceph/ceph/pull/30694.
Assigned CVE-2020-1699
Updated by Ernesto Puerta over 4 years ago
- Priority changed from High to Immediate
- Tags set to security
- Severity changed from 2 - major to 1 - critical
Updated by Ernesto Puerta over 4 years ago
- Status changed from New to In Progress
- Pull request ID set to 32652
Updated by Lenz Grimmer over 4 years ago
Unfortunately the referenced rook issue does not provide any details about the problem. In regular deployments, the Mgr process does not run with root privileges, so the dashboard module should not be able to access any sensitive files. Is this different from how Ceph is deployed by Rook?
Updated by Ernesto Puerta over 4 years ago
- Description updated (diff)
- Affected Versions v14.2.5, v14.2.6, v15.0.0 added
Updated by Ernesto Puerta over 4 years ago
Lenz Grimmer wrote:
Unfortunately the referenced rook issue does not provide any details about the problem. In regular deployments, the Mgr process does not run with root privileges, so the dashboard module should not be able to access any sensitive files. Is this different from how Ceph is deployed by Rook?
As mentioned by e-mail, anything under ceph:ceph ownership could be exposed, and depending on the deployment setup that might mean a lot:
- Ceph keyrings
- Ceph logs (ceph-mgr exposes sensitive information as described in https://tracker.ceph.com/issues/37503, including ceph-dashboard admin password, RGW secrets, etc).
- Ceph daemon data (/var/lib/ceph)
- procfs info from Ceph processes
Updated by Sage Weil over 4 years ago
- Status changed from In Progress to Pending Backport
Updated by Nathan Cutler over 4 years ago
- Copied to Backport #43725: nautilus: mgr/dashboard: fix improper URL checking added
Updated by Ernesto Puerta over 4 years ago
- Copied to deleted (Backport #43725: nautilus: mgr/dashboard: fix improper URL checking)
Updated by Ernesto Puerta over 4 years ago
- Copied to Backport #43725: nautilus: mgr/dashboard: fix improper URL checking added
Updated by Lenz Grimmer about 4 years ago
- Translation missing: en.field_tag_list set to security
- Status changed from Pending Backport to Resolved
- Private changed from Yes to No
- Tags deleted (
security)
Updated by Ernesto Puerta about 3 years ago
- Project changed from mgr to Dashboard
- Category changed from 146 to General - Back-end